-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/12/2013 08:26 AM, Licause, Al (BCS) wrote: > The following entry into an ldap.conf file on a RHEL V5 system > provides for the ability to limit users > > based in their GID values: > > > > nss_base_passwd OU=ldap,DC=mydomain,DC=net?one?|(gidNumber=11001) > (gidNumber=11003) > > > > Only those users with GID’s of 11001 or 11003 can login. All > others are prohibited. > > > > I’ve tried the same filter in sssd.conf on a v6 RHEL system but > can’t seem to get it to work. > > It doesn’t cause any syntax errors but it is ignored. > > > > I’ve also tried placing an “=” sign after the nss_base_passwd > string and quoting everything after > > the “=” sign….to no avail. > > > > Can anyone explain the sssd syntax for accomplishing this task ? > >
There are two ways to accomplish what you're asking, depending on what you really mean: The way that behaved in nss_ldap was that only users whose primaryGID was wither 11001 or 11003 would be *visible* to the system. That means that any other user would not appear with 'getent passwd username' if they didn't have the right primary GID. This can be done in sssd with the ldap_user_search_base option: ldap_user_search_base = OU=ldap,DC=mydomain,DC=net?one?(|(gidNumber=11001) (gidNumber=11003)) However, if you want all users to be viewable with 'getent passwd username' but only some users able to log in, you want to do this instead: ldap_user_search_base = OU=ldap,DC=mydomain,DC=net?one? access_provider = ldap ldap_access_order = filter ldap_access_filter = (|(gidNumber=11001) (gidNumber=11003)) This will allow the system to "see" all users, but only permit those with that primary GID to actually log in. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlFoAhIACgkQeiVVYja6o6MBrQCfehTUMu0LJjX18VNLuykL0sMC KgMAni0xMfrKcpJFpPLgmQ5XXi6AVT1Q =ZOIw -----END PGP SIGNATURE----- _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
