Hello List,
I am trying to set up sssd to authenticate against an OSX LDAP server. However, I only want to allow users that are in the VPN group. These usernames are located at cn=vpn,cn=groups,dc=server01,dc=castleaccess,dc=com under the memberUid attribute. For graphical representation (http://linuxowns.com/images/ldap.png).
Below is my sssd.conf which is a mess and it's not locating the users. The rest of the credentials are fine being pulled from dc=server01,dc=mydomain,dc=com. If I take out the ldap_user_search_base parameter, SSSD will be able to find the users and authenticate... but then it allows all of the users. Any help getting sssd to pull the specified users would be greatly appreciated!
/etc/sssd.conf
[sssd] config_file_version = 2 services = nss, pam domains = default debug_level = 10
[nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default]
id_provider = ldap auth_provider = krb5 ldap_uri = ldap://server01.mydomain.com #ldap_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com ldap_search_base = dc=server01,dc=mydomain,dc=com ldap_user_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com ldap_schema = rfc2307bis #ldap_user_principal = memberUid ldap_user_object_class = memberUid
min_id = 1 max_id = 0 enumerate = False ldap_id_use_start_tls = False #chpass_provider = krb5 ldap_tls_cacertdir = /etc/openldap/cacerts krb5_realm = SERVER01.MYDOMAIN.COM krb5_server = server01.mydomain.com chpass_provider = krb5 cache_credentials = True krb5_kpasswd = server01.mydomain.com
/var/log/secure Aug 12 14:34:01 myserver pppd[8686]: pam_unix(ppp:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0 user=tkawai Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0 user=tkawai Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): received for user tkawai: 10 (User not known to the underlying authentication module)
On 08/13/2013 12:34 AM, Kim wrote:
Hello List,
I am trying to set up sssd to authenticate against an OSX LDAP server. However, I only want to allow users that are in the VPN group. These usernames are located at cn=vpn,cn=groups,dc=server01,dc=castleaccess,dc=com under the memberUid attribute. For graphical representation (http://linuxowns.com/images/ldap.png).
Below is my sssd.conf which is a mess and it's not locating the users. The rest of the credentials are fine being pulled from dc=server01,dc=mydomain,dc=com. If I take out the ldap_user_search_base parameter, SSSD will be able to find the users and authenticate... but then it allows all of the users. Any help getting sssd to pull the specified users would be greatly appreciated!
/etc/sssd.conf
[sssd] config_file_version = 2 services = nss, pam domains = default debug_level = 10
[nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default]
id_provider = ldap auth_provider = krb5 ldap_uri = ldap://server01.mydomain.com #ldap_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com ldap_search_base = dc=server01,dc=mydomain,dc=com ldap_user_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com ldap_schema = rfc2307bis #ldap_user_principal = memberUid ldap_user_object_class = memberUid
min_id = 1 max_id = 0 enumerate = False ldap_id_use_start_tls = False #chpass_provider = krb5 ldap_tls_cacertdir = /etc/openldap/cacerts krb5_realm = SERVER01.MYDOMAIN.COM krb5_server = server01.mydomain.com chpass_provider = krb5 cache_credentials = True krb5_kpasswd = server01.mydomain.com
/var/log/secure Aug 12 14:34:01 myserver pppd[8686]: pam_unix(ppp:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0 user=tkawai Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0 user=tkawai Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): received for user tkawai: 10 (User not known to the underlying authentication module)
Hello Kim,
Have you tried configuring the simple access provider? see man 5 sssd-simple for more information. In your case it would mean adding following to the domain section:
access_provider = simple simple_allow_groups = vpn
Ondra
On 화요일 2013-08-13 00:26, Ondrej Kos wrote:
On 08/13/2013 12:34 AM, Kim wrote:
Hello List,
I am trying to set up sssd to authenticate against an OSX LDAP server. However, I only want to allow users that are in the VPN group. These usernames are located at cn=vpn,cn=groups,dc=server01,dc=castleaccess,dc=com under the memberUid attribute. For graphical representation (http://linuxowns.com/images/ldap.png).
Below is my sssd.conf which is a mess and it's not locating the users. The rest of the credentials are fine being pulled from dc=server01,dc=mydomain,dc=com. If I take out the ldap_user_search_base parameter, SSSD will be able to find the users and authenticate... but then it allows all of the users. Any help getting sssd to pull the specified users would be greatly appreciated!
/etc/sssd.conf
[sssd] config_file_version = 2 services = nss, pam domains = default debug_level = 10
[nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default]
id_provider = ldap auth_provider = krb5 ldap_uri = ldap://server01.mydomain.com #ldap_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com ldap_search_base = dc=server01,dc=mydomain,dc=com ldap_user_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com ldap_schema = rfc2307bis #ldap_user_principal = memberUid ldap_user_object_class = memberUid
min_id = 1 max_id = 0 enumerate = False ldap_id_use_start_tls = False #chpass_provider = krb5 ldap_tls_cacertdir = /etc/openldap/cacerts krb5_realm = SERVER01.MYDOMAIN.COM krb5_server = server01.mydomain.com chpass_provider = krb5 cache_credentials = True krb5_kpasswd = server01.mydomain.com
/var/log/secure Aug 12 14:34:01 myserver pppd[8686]: pam_unix(ppp:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0 user=tkawai Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0 user=tkawai Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): received for user tkawai: 10 (User not known to the underlying authentication module)
Hello Kim,
Have you tried configuring the simple access provider? see man 5 sssd-simple for more information. In your case it would mean adding following to the domain section:
access_provider = simple simple_allow_groups = vpn
Ondra
Thank you Ondra, I think this has solved my problem. I did not know about the simple_allow_groups parameter.
-Kim
On 08/13/2013 07:07 PM, Kim wrote:
On 화요일 2013-08-13 00:26, Ondrej Kos wrote:
On 08/13/2013 12:34 AM, Kim wrote:
Hello List,
I am trying to set up sssd to authenticate against an OSX LDAP server. However, I only want to allow users that are in the VPN group. These usernames are located at cn=vpn,cn=groups,dc=server01,dc=castleaccess,dc=com under the memberUid attribute. For graphical representation (http://linuxowns.com/images/ldap.png).
Below is my sssd.conf which is a mess and it's not locating the users. The rest of the credentials are fine being pulled from dc=server01,dc=mydomain,dc=com. If I take out the ldap_user_search_base parameter, SSSD will be able to find the users and authenticate... but then it allows all of the users. Any help getting sssd to pull the specified users would be greatly appreciated!
/etc/sssd.conf
[sssd] config_file_version = 2 services = nss, pam domains = default debug_level = 10
[nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default]
id_provider = ldap auth_provider = krb5 ldap_uri = ldap://server01.mydomain.com #ldap_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com ldap_search_base = dc=server01,dc=mydomain,dc=com ldap_user_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com ldap_schema = rfc2307bis #ldap_user_principal = memberUid ldap_user_object_class = memberUid
min_id = 1 max_id = 0 enumerate = False ldap_id_use_start_tls = False #chpass_provider = krb5 ldap_tls_cacertdir = /etc/openldap/cacerts krb5_realm = SERVER01.MYDOMAIN.COM krb5_server = server01.mydomain.com chpass_provider = krb5 cache_credentials = True krb5_kpasswd = server01.mydomain.com
/var/log/secure Aug 12 14:34:01 myserver pppd[8686]: pam_unix(ppp:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0 user=tkawai Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0 user=tkawai Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): received for user tkawai: 10 (User not known to the underlying authentication module)
Hello Kim,
Have you tried configuring the simple access provider? see man 5 sssd-simple for more information. In your case it would mean adding following to the domain section:
access_provider = simple simple_allow_groups = vpn
Ondra
Thank you Ondra, I think this has solved my problem. I did not know about the simple_allow_groups parameter.
-Kim
Glad to help Kim. You can also set the access_provider option to ldap and specify ldap_access_filter (see man 5 sssd-ldap). It didn't hit me when I replied to you, since the simple access provider is, well, simple :)
Ondra
sssd-users@lists.fedorahosted.org