ldap_access_filter is ignored

[sssd-bot]

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/710

• Created at 2010-12-13 16:16:54 by sala
• Closed as Invalid
• Assigned to nobody

---

No mater what I set to ldap_access_filter value I still can get successful access.

This might be configuration issue, since there is not much documentation describing use of this parameter other than "if you use LDAP as your access provider then you must specify a value for the ldap_access_filter option, otherwise all users will be denied access".

As I understand ldap_access_filter has effect on PAM access section after auth is successfully done. But https://fedorahosted.org/sssd/wiki/HOWTO_Configure does not even state that we need to add pam_sss.so to access section. So I did add "account required pam_sss.so" myself.

Also I don't see ldap_access_filter being executed in sssd_domain.log when using debug level 10.
Log is attached to this ticket.

Domain section from sssd.conf

[domain/DOMAIN]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldaps://ldap.server
ldap_group_search_base = cn=groups,cn=accounts,dc=DOMAIN
ldap_user_search_base = cn=users,cn=accounts,dc=DOMAIN
ldap_access_filter = memberOf=cn=otrs-test,cn=groups,cn=accounts,dc=DOMAIN
ldap_tls_reqcert = hard
cache_credentials = False
enumerate = true
ldap_tls_cacert = /etc/openldap/ssl/ca.crt
ldap_id_use_start_tls = False
min_id = 5000
entry_cache_timeout = 60

Comments

---

Comment from sala at 2010-12-13 16:17:13

attachment
sssd_DOMAIN.log

---

Comment from sgallagh at 2010-12-13 16:21:51

From sssd.conf(5)

       access_provider (string)
           The access control provider used for the domain. There are two
           built-in access providers (in addition to any included in installed
           backends) Internal special providers are:

           “permit” always allow access.

           “deny” always deny access.

           “simple” access control based on access or deny lists. See sssd-
           simple(5) for more information on configuring the simple access
           module.

           Default: “permit”

Note the "in addition to any included in installed backends" point. That should tell you that you need:

access_provider = ldap

In order for the {{{ldap_access_filter}}} option to have any meaning. Otherwise, we're defaulting to "permit".

Also, the HOWTO_Configure specifically states:

account     [default=bad success=ok user_unknown=ignore] pam_sss.so

Which is what is needed to ensure that SSSD handles the account/access phase properly.

resolution: => invalid
status: new => closed

---

Comment from dpal at 2012-01-19 02:13:24

Fields changed

rhbz: => 0

---

Comment from simo at 2012-03-08 15:25:46

Fields changed

milestone: NEEDS_TRIAGE => void

---

Comment from sala at 2017-02-24 14:24:55

Metadata Update from @Sala:

• Issue set to the milestone: void