Home / server / Questions / 1087792
Accepted
Iggy
Asked: 2021-12-21 02:36:23 +0800 CST

every LDAP user gives "permission denied" with LDAP and sssd (Centos7)

  • 772

I am trying to limit LDAP logins to the "admin" group.

This is my /etc/sssd/sssd.conf file:

[domain/default]
autofs_provider = ldap
ldap_tls_reqcert = allow
auth_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
cache_credentials = True
debug_timestamps = True
ldap_default_authtok_type = password
ldap_search_base = dc=example,dc=com
id_provider = ldap
ldap_default_bind_dn = cn=moderator,ou=moderators,ou=test,o=organization,dc=example,DC=COM
min_id = 100
ldap_uri = ldaps://example.com:636/
ldap_default_authtok = Pa$$word
ldap_tls_cacertdir = /etc/openldap/cacerts/
ldap_tls_cert = /etc/openldap/cacerts/certificate.pem
access_provider = ldap
ldap_access_filter = memberOf=cn=admin,ou=group,o=organization,dc=example,dc=com

[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]

I have tried to do id username and it comes up with:

id user uid=90514(user) gid=20000(users) groups=20000(users),2480(admin)

When trying to change the user by doing su user it gives error su: Permission denied after the passord is entered. When removing group limitation entries from sssd.conf, it works as expected and lets the user to login.

Any ideas where I have messed up?

Edit: For now I will set it up with /etc/security and PAM and that works. However I am still curious about doing it with sssd.

ldap openldap centos7 sssd

3 Answers

  1. Best Answer

    according to https://www.mankier.com/5/sssd-ldap:

    ldap_access_filter (string)

If using access_provider = ldap and ldap_access_order = filter (default), this
option is mandatory. It specifies an LDAP search filter criteria that must be met
for the user to be granted access on this host.

If access_provider = ldap, ldap_access_order = filter and this option is not set,
it will result in all users being denied access. Use access_provider = permit to
change this default behavior.

    So apparently, adding access_provider = permit should fix your issue.

    • 1

  2. Does the overlay memberOf exist in your LDAP configuration ? As far as I understand, this overlay needs to be explicitly configured before it can be used.

    The following command's output should contain something such as 'memberof.la'. If not, then you probably should configure your LDAP server in the first place.

    slapcat -n 0 | grep olcModuleLoad

    This might be helpful: https://tylersguides.com/guides/openldap-memberof-overlay/#configuration_tag https://stackoverflow.com/questions/60994495/memberof-and-refint-does-not-work-in-openldap

    • 0

  3. This is more easily (some might say simply) done with the simple access control provider:

    [domain/default]
...
access_provider = simple
simple_allow_groups = admin
ldap_group_search_base = ou=group,o=organization,dc=example,dc=com
    • 0