On 05/15/2015 03:07 AM, Ulrich Hiller wrote:
the uid is below 2000. If you want to know the real number: it is 1026.
I'm happy to help, but I have to point out that we've been chasing this
problem for ten days now, and the problem would be been pretty obvious
if you had not obscured the uidNu
yessterday we ha a public holiday here. Now i am bach. ;-)
the uid is below 2000. If you want to know the real number: it is 1026.
But when i set the 2000 to 1000:
account sufficientpam_succeed_if.so uid < 1000 quiet
i cannot login at all. "Permission denied"
With kind regards, ulrich
O
On 05/12/2015 11:47 AM, Ulrich Hiller wrote:
that's intersting. "performing access check" is really missing.
OK Your system is configured to not check users with uidNumber <
2000. Your original message obscured the UID of the user you were
testing. What is it?
On 05/12/2015 11:04 PM, m.r...@5-cent.us wrote:
> Ulrich Hiller wrote:
>> i thought this too.
>> I think this:
>>
>> access_provider = ldap
>> ldap_access_filter = memberOf=host=does-not-exist-host
>> ldap_access_order = filter
>> ldap_user_authorized_host = host
>>
>> must confuse sssd so much t
Ulrich Hiller wrote:
> i thought this too.
> I think this:
>
> access_provider = ldap
> ldap_access_filter = memberOf=host=does-not-exist-host
> ldap_access_order = filter
> ldap_user_authorized_host = host
>
> must confuse sssd so much that it denies login. But the user without
> host attribute ca
i thought this too.
I think this:
access_provider = ldap
ldap_access_filter = memberOf=host=does-not-exist-host
ldap_access_order = filter
ldap_user_authorized_host = host
must confuse sssd so much that it denies login. But the user without
host attribute can still login.
With kind regards, ulri
Ulrich Hiller wrote:
> that's intersting. "performing access check" is really missing.
>
> also the "sdap_access" lines are not there. Therefore i do have:
>
> (Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options]
> (0x0400): Option ldap_access_filter has no value
> (Tue May 12 13:16:20 2
that's intersting. "performing access check" is really missing.
also the "sdap_access" lines are not there. Therefore i do have:
(Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_options]
(0x0400): Option ldap_access_filter has no value
(Tue May 12 13:16:20 2015) [sssd[be[default]]] [dp_get_
On 05/12/2015 06:25 AM, Ulrich Hiller wrote:
i have set logging in sssd to 9:
7 might be good enough for what you want to find. I added this to
domain/default section:
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
debug_level = 7
/var/log/sssd/sssd_defau
>
> After that you'll probably have to turn up logging in sssd and check its
> logs to see what it's doing.
i have set logging in sssd to 9:
cache_credentials = true
debug_level = 9
I first tried a user with the correct host attribute, then a user
without the host attribute. The output in the l
>
> Hate to say that we're running out of options. I had a CentOS 7 system
> similar to yours, with LDAP authentication. I added three lines to
> sssd.conf (for access provider, etc), restarted sssd, and users with no
> "host" attribute were denied. I didn't actually test users with a host
>
On 05/11/2015 10:06 AM, Ulrich Hiller wrote:
Hmmm, i have made now a complete new install but the problem
persists: ldap authentication works, but the host attribute is ignored.
Hate to say that we're running out of options. I had a CentOS 7 system
similar to yours, with LDAP authenticati
ler
> Sent: Monday, May 11, 2015 1:40 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] ldap host attribute is ignored
>
> one more thing: firewalld service and selinux are deactivated.
>
>
> On 05/11/2015 07:06 PM, Ulrich Hiller wrote:
>> Hmmm, i have made now
1:40 PM
To: CentOS mailing list
Subject: Re: [CentOS] ldap host attribute is ignored
one more thing: firewalld service and selinux are deactivated.
On 05/11/2015 07:06 PM, Ulrich Hiller wrote:
> Hmmm, i have made now a complete new install but the problem
> persists: ldap authenti
one more thing: firewalld service and selinux are deactivated.
On 05/11/2015 07:06 PM, Ulrich Hiller wrote:
> Hmmm, i have made now a complete new install but the problem
> persists: ldap authentication works, but the host attribute is ignored.
>
> I have installed CentOS7 64bit with KDE.
>
Hmmm, i have made now a complete new install but the problem
persists: ldap authentication works, but the host attribute is ignored.
I have installed CentOS7 64bit with KDE.
I did not do any 'yum update' or install of extra packages so far.
these pam and ldap packages are installed:
openldap-
ginal Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of
Jonathan Billings
Sent: Saturday, May 09, 2015 4:25 PM
To: CentOS mailing list
Subject: Re: [CentOS] ldap host attribute is ignored
On May 8, 2015, at 11:14 AM, Ulrich Hiller wro
On 05/09/2015 01:24 PM, Jonathan Billings wrote:
Is it normal to have pam_unix and pam_sss twice for each each section?
No. See my previous message. I think it's the result of copying
portions of SuSE configurations.
___
CentOS mailing list
CentOS
On May 8, 2015, at 11:14 AM, Ulrich Hiller wrote:
>
> /etc/pam.d/system-auth:
> ---
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> authrequired pam_env.so
> authsufficientpam_unix.so n
On 05/08/2015 08:14 AM, Ulrich Hiller wrote:
With kind regards, ulrich
Hm. I don't *see* the problem, so let me go about this in the opposite
direction. I added the host controls to one of my systems, and they
appear to work properly.
My configuration files were *mostly* written by "authc
>> But instead i get
>> centos: sshd[7929]: pam_unix(sshd:session): session opened for user
>>
>
> "pam_unix" should be an indication that appears in the local
> unix password files. Make sure that it doesn't.
Nope. None of the usernames i tried is in /etc/passwd or /etc/shadow
>
> What do
On 05/07/2015 12:07 PM, Ulrich Hiller wrote:
login with the wrong password gives a denied login.
login with the correct password always works.
This is my sitution since the begin of my thread.
Got it. I misread part of your last message, and thought that logins
were /not/ working when sssd w
Thanks a lot for looking over the config.
I am at the topic "user data is available"
id
and
getent passwd
and
ldapsearch -x -b "ou=XXX,o=YYY" uid=
give the correct results
ldapsearch gives also the correct host attribute i have set in the ldap
server.
Regarding the manpage of sssd.conf the li
On 05/06/2015 07:24 AM, Ulrich Hiller wrote:
Now i have removed the 'ldap' from the /etc/nsswitch.conf. Now it looks
like this:
Looks good.
My /etc/openldap/ldap.conf is this:
OK, but that file isn't used for name service or authentication. Mostly
just the openldap tools (ldapsearch, lda
Thanks a lot for the explanation. I have confused some things while
crawling through the manuals.
Now i have removed the 'ldap' from the /etc/nsswitch.conf. Now it looks
like this:
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUN
On 05/05/2015 11:14 AM, Ulrich Hiller wrote:
On 05/05/2015 06:47 PM, Gordon Messmer wrote:
This is wrong. Don't use sss and ldap together. It's redundant. At
best it will cause performance problems.
Get rid of the ldap module and see if the system starts working
correctly with just sssd. It'
Hi,
added, but no success.
My sssd.conf looks now so:
[sssd]
config_file_version = 2
services = nss,pam
domains = default
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/] sections, and
# then add the list of domains (in the order you want them
Hi,
I am confused about what to do now.
> Do i have to configure anything else in /etc/pam.d apart from system-auth?
>
IMO, you have to configure sssd.conf properly.
Please add "ldap_user_authorized_host = host" in your sssd.conf which you
have not configured.
After that please check again.
For
On 05/05/2015 06:47 PM, Gordon Messmer wrote:
> On 05/05/2015 03:02 AM, Ulrich Hiller wrote:
>> /etc/openldap/ldap.conf contains the line:
>> --
>> pam_check_host_attr yes
>
> /etc/openldap/ldap.conf is the configuration file for openldap clients.
>
I already have seen this page, but it does not help me.
But anyway, thanks a lot for your help.
With kind regards, ulrich
On 05/05/2015 05:47 PM, m.r...@5-cent.us wrote:
> Ulrich Hiller wrote:
>> unfortunately i got a syntax error with this method "ldap_access_filter
>> = host='HOSTNAME' " and
On 05/05/2015 03:02 AM, Ulrich Hiller wrote:
/etc/openldap/ldap.conf contains the line:
--
pam_check_host_attr yes
/etc/openldap/ldap.conf is the configuration file for openldap clients.
It is not used for system authentication or name service.
Ulrich Hiller wrote:
> unfortunately i got a syntax error with this method "ldap_access_filter
> = host='HOSTNAME' " and sssd did not restart.
> i added the line
> ldap_user_authorized_host = host
> without success
>
> I have to admit that i do not have any idea where to look for the problem:
goog
unfortunately i got a syntax error with this method "ldap_access_filter
= host='HOSTNAME' " and sssd did not restart.
i added the line
ldap_user_authorized_host = host
without success
I have to admit that i do not have any idea where to look for the problem:
- is it sssd? I have the version 1.12.
hi,
On 05/05/2015 12:02 PM, Ulrich Hiller wrote:
access_provider = ldap
ldap_access_filter = memberOf=ou=,o=
ldap_access_order = host
try instead of "ldap_access_order = host" parameter
"ldap_access_filter = host='HOSTNAME' " to use
regards, Kai
Hi,
'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf
is a softlink to that file.
But still the host attribute is ignored.
With kind regards, ulrich
On 05/05/2015 12:32 PM, Ashish Yadav wrote:
> Hi,
>
> On Tue, May 5, 2015 at 3:32 PM, Ulrich Hiller wrote:
>
>> Dear lis
Hi,
On Tue, May 5, 2015 at 3:32 PM, Ulrich Hiller wrote:
> Dear list members,
>
> i have installed a CentOS 7 x86_64 system. I want to let users
> authenticate over our ldap server. This seems to be working.
> ldap-username and ldap-passwords are accepted for the users configured
> in the ldap s
Dear list members,
i have installed a CentOS 7 x86_64 system. I want to let users
authenticate over our ldap server. This seems to be working.
ldap-username and ldap-passwords are accepted for the users configured
in the ldap server. No problem.
Now i want to restrict the access to users who have
37 matches
Mail list logo
