Join Log in
Score:0
user11482797 avatar Server

ldap_group_search_base is not working as intented

pk flag
user11482797

I've used the below-given sssd.conf file to authorize the users to a server. The issue is some users who are not listed under the DN: cn=authorized,ou=rona,ou=servers,ou=groups,dc=yolo,dc=com still can access it. Users are created here ou=users,dc=yolo,dc=com. Any user listed here can access the resources as mentioned before.

server DN: ou=rona,ou=servers,ou=groups,dc=yolo,dc=com

The configuration

config_file_version = 2
services = nss, pam, autofs, sudo
domains = default

[nss]
homedir_substring = /home

[pam]

[domain/default]
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://ldap.yolo.com
ldap_chpass_uri = ldaps://ldap.yolo.com
ldap_search_base = dc=yolo,dc=com
ldap_user_search_base = ou=users,dc=yolo,dc=com
ldap_group_search_base = ou=rona,ou=servers,ou=groups,dc=yolo,dc=com
ldap_id_use_start_tls = False
ldap_tls_cacertdir = <path>/certs
cache_credentials = False
ldap_tls_reqcert = demand
entry_cache_timeout = 6
ldap_network_timeout = 3
ldap_connection_expire_timeout = 6
debug_level = 9
ldap_default_bind_dn = uid=yolobind,ou=bind,dc=yolo,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = PASSWORD
ldap_schema = rfc2307
ldap_use_tls = true
enumerate =  true

[sudo]
56
1 + 0
Score:1
avatar Server
in flag
Gerald Schneider

You are not filtering for that group, so every user is allowed.

You can add a filter like this:

ldap_access_filter = memberOf=cn=authorized,ou=rona,ou=servers,ou=groups,dc=yolo,dc=com

Check if memberOf matches your properties, could also be uniqueMember.

+ 7
user11482797 avatar
pk flag
user11482797
Tried that before with ```access_provider = ldap ``` it just removes access of every user. Is ```ldap_access_filter``` mandatory? if it used, is it possible to remove ```ldap_group_search_base```?
0
Reply
in flag
Gerald Schneider
Why would you want to remove that? It's just the definition where sssd should look for groups.
0
Reply
user11482797 avatar
pk flag
user11482797
I tried the solution you proposed, but it just removes access from every user. do you know the reason behind that behavior?
0
Reply
in flag
Gerald Schneider
Did you check the membership attribute of the user objects for the correct name and value?
0
Reply
user11482797 avatar
pk flag
user11482797
Yes, I'm able to log in with the admin user who is in the authorized group without the filter, when I applied it to remove the access from the unwanted users , all the other users's access including the admin get removed. In your opinion is this caused by sssd or the ldap ?
0
Reply
in flag
Gerald Schneider
I can't tell you that, you are not providing enough information.
0
Reply
user11482797 avatar
pk flag
user11482797
Checked the auth.log, getting this error ```"fatal: Access denied for user test-user by PAM account configuration [preauth]"```, when the ```ldap_access_filter``` is used.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.