I have sssd doing authentication through ldap and I actually have a working configuration
that uses access_provider=ldap and ldap_access_filter and does the right thing on CentOS
6.4. On another system (CentOS 6.7) the exact same configuration does not work. Access
is granted at all times no matter what. In fact, I can put in access_provider=deny, and
access is still granted. Is there some dependency that I got right on the first system
that is incorrect on this one? I can post logs if needed.
Relevant info for non-working system:
OS: CentOS 6.7 x86_64
sssd version: 1.12.4-47 (also tried 1.13.3 built from source)
sssd.conf:
[domain/ldap]
ldap_schema = rfc2307
ldap_search_base = dc=DOMAIN
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = deny
ldap_uri = ldaps://LDAP_SERVER1,ldaps://LDAP_SERVER2
cache_credentials = True
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
config_file_version = 2
services = nss, pam
debug_level = 1
domains = ldap
[nss]
debug_level = 1
[pam]
debug_level = 1
/etc/nsswitch.conf (relevant bits):
passwd: sss files
shadow: sss files
group: sss files
services: files sss
netgroup: files sss ldap
/etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Thank you for any help,
-JE