LDAP group filter using SSSD

sssd

I am using RHEL 7.2 image and trying to provide group based LDAP authentication using SSSD. How do I enable group based filters using SSSD?

I am attaching my sssd.conf file and I haven't enabled TLS on LDAP server (OpenDJ). I changed the value of FORCELEGACY to yes on client machine to connect without TLS.

Below is my sssd.conf file

[domain/default]

 autofs_provider = ldap
 ldap_schema = rfc2307bis
 ldap_search_base = dc=mykronos,dc=internal
 id_provider = ldap
 auth_provider = ldap
 chpass_provider = ldap
 ldap_uri = ldap://[ldap-server-ip]:[port]
 ldap_id_use_start_tls = False
 cache_credentials = False
 ldap_tls_reqcert = allow
 ldap_tls_cacertdir = /etc/openldap/cacerts

[sssd]

 services = nss, pam, autofs
 config_file_version = 2
 domains = default

[nss]

 homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

 ldap_access_filter = memberOf=cn=test,ou=groups,dc=example,dc=com

I am unable to restrict users from groups other than test from logging into the machine.

Best Answer

Try this:

access_provider = simple
simple_allow_groups = g1, g2

See man sssd-simple for more information.

By the way - SSSD does not allow authentication without either TLS or SSL.

Related Solutions

Ldap – CentOS 6 SSSD SSH/Console Login Issues

According to that log, it looks like SSSD's LDAP provider crashed and had to be restarted. That's why you got access-denied.

See specifically:

(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]
(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].

and then it goes to

(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first

Those lines indicate that the server is starting up again. At a guess, I'd say something went wrong while processing the ldap password policy on the client, since the last thing before it crashed was a reference to the LDAP code for the ldap_pwd_exop.

Check /var/log/messages for indications of a crash and file a bug with CentOS. Ideally, install the debuginfo for the sssd, openldap and ding-libs packages, then attach to the sssd_be process with gdb and get a backtrace of the crash to include in the bug report.

Ldap – restrict ssh access to host using sssd and LDAP

Without an id_provider sssd cannot perform any of its nsswitch roles. All sss user and group resolution will fail. You can see this with getent passwd bobdog.

I notice you have two different ldap_access_filter. Though the first one seems bad, but it's last value wins, so that's more of a tidiness issue.

ldap_access_filter = (&(object)(object))
ldap_access_filter = (|(memberOf=cn=datateam,ou=group,dc=edurp,dc=com)(memberOf=cn=ctmtest,ou=group,dc=edurp,dc=com)(memberOf=cn=syseng,ou=group,dc=edurp,dc=com))

Additionally, I don't know if dsee7 supports memberof, though I suspect it does. It is worth double checking. memberof is usually an operational attribute, so you have to ask for it explicitly. ldapsearch -H ldaps://ldap0.la01.edurp.com/ -b dc=edurp,dc=com uid=bobdog memberof.

It's generally better to use SRV RRs than explicit hosts. You're already relying on DNS for name resolution.

If you have a kerberos KDC, you might want to use krb5 as your auth_provider and use sshd's AllowGroups instead to restrict access. GSSAPI is handy at times.

AllowGroups
This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
See PATTERNS in ssh_config(5) for more information on patterns.

Best Answer

Related Solutions

Ldap – CentOS 6 SSSD SSH/Console Login Issues

Ldap – restrict ssh access to host using sssd and LDAP

Related Topic