Join Log in
Score:0
Iggy avatar Server

every LDAP user gives "permission denied" with LDAP and sssd (Centos7)

in flag
Iggy

I am trying to limit LDAP logins to the "admin" group.

This is my /etc/sssd/sssd.conf file:

[domain/default]
autofs_provider = ldap
ldap_tls_reqcert = allow
auth_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
cache_credentials = True
debug_timestamps = True
ldap_default_authtok_type = password
ldap_search_base = dc=example,dc=com
id_provider = ldap
ldap_default_bind_dn = cn=moderator,ou=moderators,ou=test,o=organization,dc=example,DC=COM
min_id = 100
ldap_uri = ldaps://example.com:636/
ldap_default_authtok = Pa$$word
ldap_tls_cacertdir = /etc/openldap/cacerts/
ldap_tls_cert = /etc/openldap/cacerts/certificate.pem
access_provider = ldap
ldap_access_filter = memberOf=cn=admin,ou=group,o=organization,dc=example,dc=com

[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]

I have tried to do id username and it comes up with:

id user uid=90514(user) gid=20000(users) groups=20000(users),2480(admin)

When trying to change the user by doing su user it gives error su: Permission denied after the passord is entered. When removing group limitation entries from sssd.conf, it works as expected and lets the user to login.

Any ideas where I have messed up?

Edit: For now I will set it up with /etc/security and PAM and that works. However I am still curious about doing it with sssd.

460
0 + 0
cn flag
shearn89
Have you tried doing `ssh user@localhost` instead? Sometimes `su` can have additional restrictions or be disabled?
0
Reply
Iggy avatar
in flag
Iggy
Still fails. `Dec 20 11:50:37 localhost sshd[1419]: pam_sss(sshd:account): Access denied for user user: 6 (Permission denied) Dec 20 11:50:37 localhost sshd[1419]: Failed password for user from 10.228.18.93 port 50592 ssh2 Dec 20 11:50:37 localhost sshd[1419]: fatal: Access denied for user user by PAM account configuration [preauth]`
0
Reply
Score:0
nirnaeth avatar Server
mo flag
nirnaeth

Does the overlay memberOf exist in your LDAP configuration ? As far as I understand, this overlay needs to be explicitly configured before it can be used.

The following command's output should contain something such as 'memberof.la'. If not, then you probably should configure your LDAP server in the first place.

slapcat -n 0 | grep olcModuleLoad

This might be helpful: https://tylersguides.com/guides/openldap-memberof-overlay/#configuration_tag https://stackoverflow.com/questions/60994495/memberof-and-refint-does-not-work-in-openldap

0 + 0
Iggy avatar
in flag
Iggy
Thank you! will test this later, but most likely this is the problem! For now i just did it via /etc/security and PAM, but i am curious about trying to do it this way.
0
Reply
Score:0
avatar Server
cn flag
natxo asenjo

according to https://www.mankier.com/5/sssd-ldap:

ldap_access_filter (string)

If using access_provider = ldap and ldap_access_order = filter (default), this
option is mandatory. It specifies an LDAP search filter criteria that must be met
for the user to be granted access on this host.

If access_provider = ldap, ldap_access_order = filter and this option is not set,
it will result in all users being denied access. Use access_provider = permit to
change this default behavior.

So apparently, adding access_provider = permit should fix your issue.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.