I am trying to limit LDAP logins to the "admin" group.
This is my /etc/sssd/sssd.conf file:
[domain/default]
autofs_provider = ldap
ldap_tls_reqcert = allow
auth_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
cache_credentials = True
debug_timestamps = True
ldap_default_authtok_type = password
ldap_search_base = dc=example,dc=com
id_provider = ldap
ldap_default_bind_dn = cn=moderator,ou=moderators,ou=test,o=organization,dc=example,DC=COM
min_id = 100
ldap_uri = ldaps://example.com:636/
ldap_default_authtok = Pa$$word
ldap_tls_cacertdir = /etc/openldap/cacerts/
ldap_tls_cert = /etc/openldap/cacerts/certificate.pem
access_provider = ldap
ldap_access_filter = memberOf=cn=admin,ou=group,o=organization,dc=example,dc=com
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
I have tried to do id username and it comes up with:
id user uid=90514(user) gid=20000(users) groups=20000(users),2480(admin)
When trying to change the user by doing su user it gives error su: Permission denied after the passord is entered.
When removing group limitation entries from sssd.conf, it works as expected and lets the user to login.
Any ideas where I have messed up?
Edit: For now I will set it up with /etc/security and PAM and that works. However I am still curious about doing it with sssd.
Best Answer
according to https://www.mankier.com/5/sssd-ldap:
So apparently, adding access_provider = permit should fix your issue.