You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
No mater what I set to ldap_access_filter value I still can get successful access.
This might be configuration issue, since there is not much documentation describing use of this parameter other than "if you use LDAP as your access provider then you must specify a value for the ldap_access_filter option, otherwise all users will be denied access".
As I understand ldap_access_filter has effect on PAM access section after auth is successfully done. But https://fedorahosted.org/sssd/wiki/HOWTO_Configure does not even state that we need to add pam_sss.so to access section. So I did add "account required pam_sss.so" myself.
Also I don't see ldap_access_filter being executed in sssd_domain.log when using debug level 10.
Log is attached to this ticket.
access_provider (string)
The access control provider used for the domain. There are two
built-in access providers (in addition to any included in installed
backends) Internal special providers are:
“permit” always allow access.
“deny” always deny access.
“simple” access control based on access or deny lists. See sssd-
simple(5) for more information on configuring the simple access
module.
Default: “permit”
Note the "in addition to any included in installed backends" point. That should tell you that you need:
access_provider = ldap
In order for the {{{ldap_access_filter}}} option to have any meaning. Otherwise, we're defaulting to "permit".
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/710
No mater what I set to ldap_access_filter value I still can get successful access.
This might be configuration issue, since there is not much documentation describing use of this parameter other than "if you use LDAP as your access provider then you must specify a value for the ldap_access_filter option, otherwise all users will be denied access".
As I understand ldap_access_filter has effect on PAM access section after auth is successfully done. But https://fedorahosted.org/sssd/wiki/HOWTO_Configure does not even state that we need to add pam_sss.so to access section. So I did add "account required pam_sss.so" myself.
Also I don't see ldap_access_filter being executed in sssd_domain.log when using debug level 10.
Log is attached to this ticket.
Domain section from sssd.conf
Comments
Comment from sala at 2010-12-13 16:17:13
attachment
sssd_DOMAIN.log
Comment from sgallagh at 2010-12-13 16:21:51
From sssd.conf(5)
Note the "in addition to any included in installed backends" point. That should tell you that you need:
In order for the {{{ldap_access_filter}}} option to have any meaning. Otherwise, we're defaulting to "permit".
Also, the HOWTO_Configure specifically states:
Which is what is needed to ensure that SSSD handles the account/access phase properly.
resolution: => invalid
status: new => closed
Comment from dpal at 2012-01-19 02:13:24
Fields changed
rhbz: => 0
Comment from simo at 2012-03-08 15:25:46
Fields changed
milestone: NEEDS_TRIAGE => void
Comment from sala at 2017-02-24 14:24:55
Metadata Update from @Sala:
The text was updated successfully, but these errors were encountered: