Learn more about these different git repos.
Other Git URLs
No mater what I set to ldap_access_filter value I still can get successful access.
This might be configuration issue, since there is not much documentation describing use of this parameter other than "if you use LDAP as your access provider then you must specify a value for the ldap_access_filter option, otherwise all users will be denied access".
As I understand ldap_access_filter has effect on PAM access section after auth is successfully done. But https://fedorahosted.org/sssd/wiki/HOWTO_Configure does not even state that we need to add pam_sss.so to access section. So I did add "account required pam_sss.so" myself.
Also I don't see ldap_access_filter being executed in sssd_domain.log when using debug level 10. Log is attached to this ticket.
Domain section from sssd.conf
[domain/DOMAIN] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307bis ldap_uri = ldaps://ldap.server ldap_group_search_base = cn=groups,cn=accounts,dc=DOMAIN ldap_user_search_base = cn=users,cn=accounts,dc=DOMAIN ldap_access_filter = memberOf=cn=otrs-test,cn=groups,cn=accounts,dc=DOMAIN ldap_tls_reqcert = hard cache_credentials = False enumerate = true ldap_tls_cacert = /etc/openldap/ssl/ca.crt ldap_id_use_start_tls = False min_id = 5000 entry_cache_timeout = 60
attachment sssd_DOMAIN.log
From sssd.conf(5)
access_provider (string) The access control provider used for the domain. There are two built-in access providers (in addition to any included in installed backends) Internal special providers are: “permit” always allow access. “deny” always deny access. “simple” access control based on access or deny lists. See sssd- simple(5) for more information on configuring the simple access module. Default: “permit”
Note the "in addition to any included in installed backends" point. That should tell you that you need:
access_provider = ldap
In order for the {{{ldap_access_filter}}} option to have any meaning. Otherwise, we're defaulting to "permit".
Also, the HOWTO_Configure specifically states:
account [default=bad success=ok user_unknown=ignore] pam_sss.so
Which is what is needed to ensure that SSSD handles the account/access phase properly.
resolution: => invalid status: new => closed
Fields changed
rhbz: => 0
milestone: NEEDS_TRIAGE => void
Metadata Update from @sala: - Issue set to the milestone: void
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1752
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.