0

I've used the below-given sssd.conf file to authorize the users to a server. The issue is some users who are not listed under the DN: cn=authorized,ou=rona,ou=servers,ou=groups,dc=yolo,dc=com still can access it. Users are created here ou=users,dc=yolo,dc=com. Any user listed here can access the resources as mentioned before.

server DN: ou=rona,ou=servers,ou=groups,dc=yolo,dc=com

The configuration

config_file_version = 2
services = nss, pam, autofs, sudo
domains = default

[nss]
homedir_substring = /home

[pam]

[domain/default]
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://ldap.yolo.com
ldap_chpass_uri = ldaps://ldap.yolo.com
ldap_search_base = dc=yolo,dc=com
ldap_user_search_base = ou=users,dc=yolo,dc=com
ldap_group_search_base = ou=rona,ou=servers,ou=groups,dc=yolo,dc=com
ldap_id_use_start_tls = False
ldap_tls_cacertdir = <path>/certs
cache_credentials = False
ldap_tls_reqcert = demand
entry_cache_timeout = 6
ldap_network_timeout = 3
ldap_connection_expire_timeout = 6
debug_level = 9
ldap_default_bind_dn = uid=yolobind,ou=bind,dc=yolo,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = PASSWORD
ldap_schema = rfc2307
ldap_use_tls = true
enumerate =  true

[sudo]
user11482797
  • 1

1 Answers1

1

You are not filtering for that group, so every user is allowed.

You can add a filter like this:

ldap_access_filter = memberOf=cn=authorized,ou=rona,ou=servers,ou=groups,dc=yolo,dc=com

Check if memberOf matches your properties, could also be uniqueMember.

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
  • Tried that before with ```access_provider = ldap ``` it just removes access of every user. Is ```ldap_access_filter``` mandatory? if it used, is it possible to remove ```ldap_group_search_base```? – user11482797 May 30 '23 at 10:07
  • Why would you want to remove that? It's just the definition where sssd should look for groups. – Gerald Schneider May 30 '23 at 10:09
  • I tried the solution you proposed, but it just removes access from every user. do you know the reason behind that behavior? – user11482797 May 30 '23 at 10:17
  • Did you check the membership attribute of the user objects for the correct name and value? – Gerald Schneider May 30 '23 at 10:19
  • Yes, I'm able to log in with the admin user who is in the authorized group without the filter, when I applied it to remove the access from the unwanted users , all the other users's access including the admin get removed. In your opinion is this caused by sssd or the ldap ? – user11482797 May 30 '23 at 10:26
  • I can't tell you that, you are not providing enough information. – Gerald Schneider May 30 '23 at 10:54
  • Checked the auth.log, getting this error ```"fatal: Access denied for user test-user by PAM account configuration [preauth]"```, when the ```ldap_access_filter``` is used. – user11482797 May 31 '23 at 06:38