I need to restrict ssh access to hosts based on the user's LDAP group membership. I want to do this using sssd's ldap_access_filter feature. Here's my sssd.conf file:
[sssd]
config_file_version = 2
services = nss, pam
domains = default
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default]
debug_level = 5
ldap_tls_reqcert = never
auth_provider = ldap
access_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=edurp,dc=com
ldap_group_member = uniquemember
#id_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldaps://ldap0.la01.edurp.com/,ldaps://ldap1.la01.edurp.com/
ldap_chpass_uri = ldaps://ldap0.edurp.com/
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_access_filter = (&(object)(object))
krb5_realm = EXAMPLE.COM
krb5_kdcip = kerberos.example.com
ldap_access_filter = (|(memberOf=cn=datateam,ou=group,dc=edurp,dc=com)(memberOf=cn=ctmtest,ou=group,dc=edurp,d c=com)(memberOf=cn=syseng,ou=group,dc=edurp,dc=com))
My nsswitch.conf file looks like this:
passwd: files sss
shadow: files sss
passwd_compat: sss
shadow_compat: sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: sss files
publickey: nisplus
automount: files ldap
aliases: files nisplus
So the error messages I see in /var/log/sssd/
(Wed Jun 25 12:25:36 2014) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Wed Jun 25 12:25:36 2014) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sending result [6][default]
(Wed Jun 25 12:25:36 2014) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sent result [6][default]
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [3][1][name=bobdog]
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [be_pam_handler] (0x0100): Got request with the following data
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): domain: default
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): user: bobdog
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): service: sshd
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): tty: ssh
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): ruser:
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): rhost: 10.65.6.65
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): authtok type: 0
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): authtok size: 0
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok size: 0
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): priv: 1
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [pam_print_data] (0x0100): cli_pid: 48404
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [sdap_access_filter_get_access_done] (0x0100): User [bobdog] was not found with the specified filter. Denying access.
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sending result [6][default]
(Wed Jun 25 12:29:37 2014) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sent result [6][default]
And in /var/log/secure I see:
Jun 25 12:29:37 vmtest0 sshd[48404]: pam_sss(sshd:account): Access denied for user bobdog: 6 (Permission denied)
Jun 25 12:29:37 vmtest0 sshd[48405]: fatal: Access denied for user bobdog by PAM account configuration
I'm being made to use Oracle 6.5 Linux and openldap on the client machines for this project. The ldap servers run dsee7.
Thanks for any advice.
Best Answer
Without an
id_provider
sssd
cannot perform any of itsnsswitch
roles. Allsss
user and group resolution will fail. You can see this withgetent passwd bobdog
.I notice you have two different
ldap_access_filter
. Though the first one seems bad, but it's last value wins, so that's more of a tidiness issue.Additionally, I don't know if
dsee7
supportsmemberof
, though I suspect it does. It is worth double checking.memberof
is usually an operational attribute, so you have to ask for it explicitly.ldapsearch -H ldaps://ldap0.la01.edurp.com/ -b dc=edurp,dc=com uid=bobdog memberof
.It's generally better to use
SRV RRs
than explicit hosts. You're already relying onDNS
for name resolution.If you have a kerberos KDC, you might want to use
krb5
as yourauth_provider
and usesshd
'sAllowGroups
instead to restrict access.GSSAPI
is handy at times.