Thanks Jakub.
Hmmm, not sure I understand, can you elaborate with an example using
dc=ad,dc=example,dc=com?
Thanks,
Sterling
------ Original Message ------
From: "Jakub Hrozek" <jhrozek(a)redhat.com>
To: "Sterling Sahaydak" <sterling.sahaydak(a)pi-coral.com>
Cc: "Sumit Bose" <sbose(a)redhat.com>; "End-user discussions about the
System Security Services Daemon" <sssd-users(a)lists.fedorahosted.org>
Sent: 4/29/2015 12:29:11 PM
Subject: Re: [SSSD-users] SSH - sssd: PAM: do_pam_account pam_acct_mgmt
= 6 (Permission denied)
On Wed, Apr 29, 2015 at 04:23:01PM +0000, Sterling Sahaydak wrote:
> Solved my issue!
>
> The key wasn't from the messages running sssd using: /usr/sbin/sssd
>-D
> -ddd and reading what was sent to screen.
>
> Instead it was looking within the sssd_LDAP.log file itself:
>
> (Wed Apr 29 11:42:58 2015) [sssd[be[LDAP]]] [sdap_access_filter_send]
> (0x0400): No filter set.
> (Wed Apr 29 11:42:58 2015) [sssd[be[LDAP]]] [sdap_access_done]
>(0x0400):
> Access was denied.
>
> The ldap_access_filter set to:
>
> ldap_access_filter = ou=example,dc=ad,dc=example,dc=com
>
> Appears this is not a filter.
>
> To resolve, changed it to use:
>
> ldap_access_filter =
>memberof=cn=groupname,ou=groups,dc=ad,dc=example,dc=com
>
> The documentation is a little vague for ldap_access_filter as to what
> qualifies clearly as a filter.
>
>
> malformed filter in the code didn't appear to get triggered?
>
>
> Thanks again to Jakub and Sumit for taking the time to help!!!
I'm glad it works fine for you now, but please note the simple access
provider is a much better choice for restricting access by groups
because the memberof attribute in AD only points to direct parents, not
all parents.