SSSD ignoring ldap_acccess_filter parameter

Latest response

When I try Login Whit a Ldap User any user ir permitted, seems to ignore the ldap_access_filter option and allows all users to login

Responses

Hi Enrique, Have a look at this article How to restrict certain users or groups on client authenticating with sssd .

There are different options to limit this depending on your environment. Using the sssd.conf to include the line access_provider = ldap then the ldap_access_filter option should be a valid filter. Try to test the filter for instance using ldapsearch to ensure that it matches as expected.

One other note on this, depending on ordering in PAM stack the sssd may be skiped in the PAM account section. ldap_access_filter being ignored during authentication

Hope these help.

Thanks for your response,

I am review my configuration, and I atach the configuration files:

cat /etc/sssd/sssd.conf [sssd] domains = mydomain.com

config_file_version = 2 services = nss, pam, ssh, autofs debug_level = 0x3ff0 debug_level = 9

[nss] override_homedir = /home/%u default_shell = /bin/bash create_homedir = true

[pam]

[domain/ mydomain.com]

debug_level = 0x3ff0 debug_level = 5 ad_domain = mydomain.com krb5_realm = mydomain.com

realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = true use_fully_qualified_names = True fallback_homedir = /home/%u access_provider = ad ldap_search_base = dc=mydomain,dc=com ldap_access_filter = (memberOf = cn=usersallowedpermitted,ou=Users_linux,ou=,dc=mydomain,dc=com)

file /etc/pam.d/password-auth

account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so

When I try Login with a Ldap user any user is abble to login in my servers.

Regards Enrique

Hi Enrique, The configuration shows access_provider = ad, for this look at options for ad_access_filter.

The man page for sssd-ad has some filter examples you can reference.

For an AD access provider, use the ad_access_filter option. See the sssd-ad(5) man page for details. sssd documentation here provides information on both the ldap-access-filter as well as the AD filter.