Hi
I'm trying to authenticate users based on group membership in our Google LDAP directory. I can authenticate just fine without the 'ldap_access_filter' but when I enable it they still authenticate even when the user is not a group member. Additionally I don't see any check of the group membership in the logs, so I must be doing something wrong. Please help me.
My sssd.conf
*[sssd]services = nss, pamdomains = domain.dk http://domain.dk[domain/domain.dk http://domain.dk]# Base settingsdebug_level = 8id_provider = ldapauth_provider = ldapaccess_provider = ldapldap_access_order = filterldap_id_use_start_tls = trueldap_uri = ldaps://ldap.google.com http://ldap.google.comldap_search_base = dc=domain,dc=comldap_user_search_base = ou=Users,dc=domain,dc=comldap_group_search_base = ou=Groups,dc=domain,dc=comldap_tls_cert = /etc/sssd/google-ldap-client.crtldap_tls_key = /etc/sssd/google-ldap-client.key# Disable TLS 1.3 of google LDAP don't workldap_tls_cipher_suite = NORMAL:!VERS-TLS1.3# Access controlldap_access_filter = (memberOf=CN=vpn,ou=Groups,dc=domain,dc=com)# Google recommended settingsldap_schema = rfc2307bisldap_user_uuid = entryUUID*
I have been looking for any lines in the logs referencing my vpn group but there is none. I have even tried switching to 'auth_provider = simple' but there is no reference of the group check
Regards Supergoof
Am Mon, May 09, 2022 at 01:54:00PM +0200 schrieb Bo Riis Toelberg Kristensen:
Hi
I'm trying to authenticate users based on group membership in our Google LDAP directory. I can authenticate just fine without the 'ldap_access_filter' but when I enable it they still authenticate even when the user is not a group member. Additionally I don't see any check of the group membership in the logs, so I must be doing something wrong. Please help me.
My sssd.conf
*[sssd]services = nss, pamdomains = domain.dk http://domain.dk[domain/domain.dk http://domain.dk]# Base settingsdebug_level = 8id_provider = ldapauth_provider = ldapaccess_provider = ldapldap_access_order = filterldap_id_use_start_tls = trueldap_uri = ldaps://ldap.google.com http://ldap.google.comldap_search_base = dc=domain,dc=comldap_user_search_base = ou=Users,dc=domain,dc=comldap_group_search_base = ou=Groups,dc=domain,dc=comldap_tls_cert = /etc/sssd/google-ldap-client.crtldap_tls_key = /etc/sssd/google-ldap-client.key# Disable TLS 1.3 of google LDAP don't workldap_tls_cipher_suite = NORMAL:!VERS-TLS1.3# Access controlldap_access_filter = (memberOf=CN=vpn,ou=Groups,dc=domain,dc=com)# Google recommended settingsldap_schema = rfc2307bisldap_user_uuid = entryUUID*
I have been looking for any lines in the logs referencing my vpn group but there is none. I have even tried switching to 'auth_provider = simple' but there is no reference of the group check
Hi,
I do not seen anything obviously wrong in your sssd.conf. 'auth_provider = simple' does not exists only 'access_provider = simple'. With PAM authentication and authorization are different steps, 'auth' and 'acct' in the related PAM configuration. Are you sure pam_sss is configured in the 'acct' section?
Would it be possible to send logs with 'debug_level = 9' in the [pam] and [domain/...] section of sssd.conf?
bye, Sumit
Regards Supergoof
-- ----CEGO A/S will as part of your communication and interaction with us collect and process personal data about you. You can read more about our collection and processing of your personal data and your rights as a data subject at https://cego.dk/gdpr https://cego.dk/gdpr/
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi Sumit
Thank you for taking the time to help me.
You nailed it :-)
In my PAM config I only had "auth required pam_sss.so" after adding "account required pam_sss.so" i now see the following in the sssd_domain.log
(Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_send] (0x0400):
Performing access check for user [br@domain.dk] (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [br@domain.dk] (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_filter_send] (0x0400): Checking filter against LDAP (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_print_server] (0x2000): Searching 216.239.32.58:636 (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=br)(objectclass=posixAccount)(memberOf=cn=vpn,ou=groups,dc=domain,dc=dk))][uid=br,ou=Users,dc=domain,dc=dk]. (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 12 (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_op_add] (0x2000): New operation 12 timeout 6 (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_process_result] (0x2000): Trace: sh[0x5646f7c363a0], connected[1], ops[0x5646f7f1ffa0], ldap[0x5646f7c37e00] (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_op_destructor] (0x2000): Operation 12 finished (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_filter_done] (0x0100): User [br@domain.dk] was not found with the specified filter. Denying access. (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_filter_done] (0x0400): Access denied by online lookup (Tue May 10 07:43:02 2022) [be[domain.dk]] [sysdb_ldb_msg_difference] (0x2000): Added attr [ldap_access_filter_allow] to entry [name= br@domain.dk,cn=users,cn=domain.dk,cn=sysdb] (Tue May 10 07:43:02 2022) [be[domain.dk]] [sysdb_set_entry_attr] (0x0200): Entry [name=br@domain.dk,cn=users,cn=domain.dk,cn=sysdb] has set [cache, ts_cache] attrs. (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_done] (0x0400): Access was denied.
Thank you very much for helping
Happy regards Bo
On Mon, 9 May 2022 at 18:48, Sumit Bose sbose@redhat.com wrote:
Am Mon, May 09, 2022 at 01:54:00PM +0200 schrieb Bo Riis Toelberg Kristensen:
Hi
I'm trying to authenticate users based on group membership in our Google LDAP directory. I can authenticate just fine without the 'ldap_access_filter' but when I enable it they still authenticate even when the user is not a group
member.
Additionally I don't see any check of the group membership in the logs,
so
I must be doing something wrong. Please help me.
My sssd.conf
*[sssd]services = nss, pamdomains = domain.dk http://domain.dk[domain/domain.dk http://domain.dk]# Base settingsdebug_level = 8id_provider = ldapauth_provider = ldapaccess_provider = ldapldap_access_order =
filterldap_id_use_start_tls =
trueldap_uri = ldaps://ldap.google.com http://ldap.google.comldap_search_base = dc=domain,dc=comldap_user_search_base = ou=Users,dc=domain,dc=comldap_group_search_base = ou=Groups,dc=domain,dc=comldap_tls_cert = /etc/sssd/google-ldap-client.crtldap_tls_key = /etc/sssd/google-ldap-client.key# Disable TLS 1.3 of google LDAP don't workldap_tls_cipher_suite = NORMAL:!VERS-TLS1.3# Access controlldap_access_filter = (memberOf=CN=vpn,ou=Groups,dc=domain,dc=com)# Google recommended settingsldap_schema = rfc2307bisldap_user_uuid = entryUUID*
I have been looking for any lines in the logs referencing my vpn group
but
there is none. I have even tried switching to 'auth_provider = simple'
but
there is no reference of the group check
Hi,
I do not seen anything obviously wrong in your sssd.conf. 'auth_provider = simple' does not exists only 'access_provider = simple'. With PAM authentication and authorization are different steps, 'auth' and 'acct' in the related PAM configuration. Are you sure pam_sss is configured in the 'acct' section?
Would it be possible to send logs with 'debug_level = 9' in the [pam] and [domain/...] section of sssd.conf?
bye, Sumit
Regards Supergoof
-- ----CEGO A/S will as part of your communication and interaction with us collect and process personal data about you. You can read more about our collection and processing of your personal data and your rights as a
data
subject at https://cego.dk/gdpr https://cego.dk/gdpr/
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Am Tue, May 10, 2022 at 09:49:08AM +0200 schrieb Bo Riis Toelberg Kristensen:
Hi Sumit
Thank you for taking the time to help me.
You nailed it :-)
In my PAM config I only had "auth required pam_sss.so" after adding "account required pam_sss.so" i now see the following in the sssd_domain.log
(Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_send] (0x0400):
Performing access check for user [br@domain.dk] (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [br@domain.dk] (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_filter_send] (0x0400): Checking filter against LDAP (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_print_server] (0x2000): Searching 216.239.32.58:636 (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=br)(objectclass=posixAccount)(memberOf=cn=vpn,ou=groups,dc=domain,dc=dk))][uid=br,ou=Users,dc=domain,dc=dk]. (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 12 (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_op_add] (0x2000): New operation 12 timeout 6 (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_process_result] (0x2000): Trace: sh[0x5646f7c363a0], connected[1], ops[0x5646f7f1ffa0], ldap[0x5646f7c37e00] (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_op_destructor] (0x2000): Operation 12 finished (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_filter_done] (0x0100): User [br@domain.dk] was not found with the specified filter. Denying access. (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_filter_done] (0x0400): Access denied by online lookup (Tue May 10 07:43:02 2022) [be[domain.dk]] [sysdb_ldb_msg_difference] (0x2000): Added attr [ldap_access_filter_allow] to entry [name= br@domain.dk,cn=users,cn=domain.dk,cn=sysdb] (Tue May 10 07:43:02 2022) [be[domain.dk]] [sysdb_set_entry_attr] (0x0200): Entry [name=br@domain.dk,cn=users,cn=domain.dk,cn=sysdb] has set [cache, ts_cache] attrs. (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_done] (0x0400): Access was denied.
Thank you very much for helping
Hi,
you're welcome, glad I could help.
bye, Sumit
Happy regards Bo
On Mon, 9 May 2022 at 18:48, Sumit Bose sbose@redhat.com wrote:
Am Mon, May 09, 2022 at 01:54:00PM +0200 schrieb Bo Riis Toelberg Kristensen:
Hi
I'm trying to authenticate users based on group membership in our Google LDAP directory. I can authenticate just fine without the 'ldap_access_filter' but when I enable it they still authenticate even when the user is not a group
member.
Additionally I don't see any check of the group membership in the logs,
so
I must be doing something wrong. Please help me.
My sssd.conf
*[sssd]services = nss, pamdomains = domain.dk http://domain.dk[domain/domain.dk http://domain.dk]# Base settingsdebug_level = 8id_provider = ldapauth_provider = ldapaccess_provider = ldapldap_access_order =
filterldap_id_use_start_tls =
trueldap_uri = ldaps://ldap.google.com http://ldap.google.comldap_search_base = dc=domain,dc=comldap_user_search_base = ou=Users,dc=domain,dc=comldap_group_search_base = ou=Groups,dc=domain,dc=comldap_tls_cert = /etc/sssd/google-ldap-client.crtldap_tls_key = /etc/sssd/google-ldap-client.key# Disable TLS 1.3 of google LDAP don't workldap_tls_cipher_suite = NORMAL:!VERS-TLS1.3# Access controlldap_access_filter = (memberOf=CN=vpn,ou=Groups,dc=domain,dc=com)# Google recommended settingsldap_schema = rfc2307bisldap_user_uuid = entryUUID*
I have been looking for any lines in the logs referencing my vpn group
but
there is none. I have even tried switching to 'auth_provider = simple'
but
there is no reference of the group check
Hi,
I do not seen anything obviously wrong in your sssd.conf. 'auth_provider = simple' does not exists only 'access_provider = simple'. With PAM authentication and authorization are different steps, 'auth' and 'acct' in the related PAM configuration. Are you sure pam_sss is configured in the 'acct' section?
Would it be possible to send logs with 'debug_level = 9' in the [pam] and [domain/...] section of sssd.conf?
bye, Sumit
Regards Supergoof
-- ----CEGO A/S will as part of your communication and interaction with us collect and process personal data about you. You can read more about our collection and processing of your personal data and your rights as a
data
subject at https://cego.dk/gdpr https://cego.dk/gdpr/
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Venlig hilsen / Best regards Bo Riis
E-mail: brtk@cego.dk
CEGO A/S http://www.cego.dk/, Lauritzens Plads 1, 9000 Aalborg, Denmark This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
-- ----CEGO A/S will as part of your communication and interaction with us collect and process personal data about you. You can read more about our collection and processing of your personal data and your rights as a data subject at https://cego.dk/gdpr https://cego.dk/gdpr/
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
For simple access control you can refer the man page "man sssd-simple" for details on "simple_allow_groups". For "memberOf" filter I think "memberOf" attribute needs to be enabled on the openldap server, directory servers has it by default.(including AD)
https://www.openldap.org/doc/admin24/guide.html#:~:text=the%20group%20entry....
Regards, Ashok
On Mon, May 9, 2022 at 5:24 PM Bo Riis Toelberg Kristensen brtk@cego.dk wrote:
Hi
I'm trying to authenticate users based on group membership in our Google LDAP directory. I can authenticate just fine without the 'ldap_access_filter' but when I enable it they still authenticate even when the user is not a group member. Additionally I don't see any check of the group membership in the logs, so I must be doing something wrong. Please help me.
My sssd.conf
*[sssd]services = nss, pamdomains = domain.dk http://domain.dk[domain/domain.dk http://domain.dk]# Base settingsdebug_level = 8id_provider = ldapauth_provider = ldapaccess_provider = ldapldap_access_order = filterldap_id_use_start_tls = trueldap_uri = ldaps://ldap.google.com http://ldap.google.comldap_search_base = dc=domain,dc=comldap_user_search_base = ou=Users,dc=domain,dc=comldap_group_search_base = ou=Groups,dc=domain,dc=comldap_tls_cert = /etc/sssd/google-ldap-client.crtldap_tls_key = /etc/sssd/google-ldap-client.key# Disable TLS 1.3 of google LDAP don't workldap_tls_cipher_suite = NORMAL:!VERS-TLS1.3# Access controlldap_access_filter = (memberOf=CN=vpn,ou=Groups,dc=domain,dc=com)# Google recommended settingsldap_schema = rfc2307bisldap_user_uuid = entryUUID*
I have been looking for any lines in the logs referencing my vpn group but there is none. I have even tried switching to 'auth_provider = simple' but there is no reference of the group check
Regards Supergoof
CEGO A/S will as part of your communication and interaction with us collect and process personal data about you. You can read more about our collection and processing of your personal data and your rights as a data subject at https://cego.dk/gdpr/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sssd-users@lists.fedorahosted.org