[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-users
Subject: Re: [SSSD-users] Pulling users from a group in OSX Openldap
From: Ondrej Kos <okos () redhat ! com>
Date: 2013-08-14 9:08:50
Message-ID: 520B4922.7010807 () redhat ! com
[Download RAW message or body]
On 08/13/2013 07:07 PM, Kim wrote:
> On 화요일 2013-08-13 00:26, Ondrej Kos wrote:
>> On 08/13/2013 12:34 AM, Kim wrote:
>>> Hello List,
>>>
>>> I am trying to set up sssd to authenticate against an OSX LDAP server.
>>> However, I only want to allow users that are in the VPN group. These
>>> usernames are located at
>>> cn=vpn,cn=groups,dc=server01,dc=castleaccess,dc=com under the memberUid
>>> attribute. For graphical representation
>>> (http://linuxowns.com/images/ldap.png).
>>>
>>> Below is my sssd.conf which is a mess and it's not locating the users.
>>> The rest of the credentials are fine being pulled from
>>> dc=server01,dc=mydomain,dc=com. If I take out the ldap_user_search_base
>>> parameter, SSSD will be able to find the users and authenticate... but
>>> then it allows all of the users. Any help getting sssd to pull the
>>> specified users would be greatly appreciated!
>>>
>>> /etc/sssd.conf
>>>
>>> [sssd]
>>> config_file_version = 2
>>> services = nss, pam
>>> domains = default
>>> debug_level = 10
>>>
>>> [nss]
>>> filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
>>>
>>> [pam]
>>>
>>> [domain/default]
>>>
>>> id_provider = ldap
>>> auth_provider = krb5
>>> ldap_uri = ldap://server01.mydomain.com
>>> #ldap_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com
>>> ldap_search_base = dc=server01,dc=mydomain,dc=com
>>> ldap_user_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com
>>> ldap_schema = rfc2307bis
>>> #ldap_user_principal = memberUid
>>> ldap_user_object_class = memberUid
>>>
>>> min_id = 1
>>> max_id = 0
>>> enumerate = False
>>> ldap_id_use_start_tls = False
>>> #chpass_provider = krb5
>>> ldap_tls_cacertdir = /etc/openldap/cacerts
>>> krb5_realm = SERVER01.MYDOMAIN.COM
>>> krb5_server = server01.mydomain.com
>>> chpass_provider = krb5
>>> cache_credentials = True
>>> krb5_kpasswd = server01.mydomain.com
>>>
>>> /var/log/secure
>>> Aug 12 14:34:01 myserver pppd[8686]: pam_unix(ppp:auth): authentication
>>> failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0
>>> user=tkawai
>>> Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): authentication
>>> failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0
>>> user=tkawai
>>> Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): received for
>>> user tkawai: 10 (User not known to the underlying authentication module)
>>>
>>>
>>
>> Hello Kim,
>>
>> Have you tried configuring the simple access provider? see
>> man 5 sssd-simple
>> for more information. In your case it would mean adding following to
>> the domain section:
>>
>> access_provider = simple
>> simple_allow_groups = vpn
>>
>> Ondra
>>
>>
> Thank you Ondra, I think this has solved my problem. I did not know
> about the simple_allow_groups parameter.
>
> -Kim
Glad to help Kim. You can also set the access_provider option to ldap
and specify ldap_access_filter (see man 5 sssd-ldap). It didn't hit me
when I replied to you, since the simple access provider is, well, simple :)
Ondra
--
Ondrej Kos
Associate Software Engineer
Identity Management - SSSD
Red Hat Czech
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic