On Mon, Sep 16, 2013 at 10:34:58AM -0700, Doug Clow wrote: > Hi Jakub, > > I would definitely use that ad_access_filter feature. In fact that is how I > expected it was going to work and tried it out originally.
Great, thank you! I flagged your e-mail so that I ping you when the new feature is ready (hopefully by the end of the week) > It would also be cool if there was a way to specify users and groups > that did not require the whole distinguished name. A ldap-simple mode > if you will. I know there are technical issues that make this hard to > work for group membership. But, that way sssd could authenticate a user > or group regardless if it had been moved to another OU. Maybe by using > "pre-Windows 2000" name or SID. It would be more Windows like behavior. I don't disagree, but at the very least I think that the option that behaves as you described should be named differently, not "filter". Also, do you see a reason why the simple access provider wouldn't be fit for this use case? (I can think of "not having to update all client sssd.conf files" for certain configurations, but I want to see if we're looking at the problem from the same angle) Would you have time to quickly draft a use-case example of this option you propose? Just example of the config option is fine. > > I'm happy to do some testing. Our environment here is CentOS 6.4 I'm working on the new option this week and will ping you when it's ready. Thank you again for the offer to test new functionality! _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users