Rather than filtering off a single group, why not use the simple_allow_groups key value? This will allow mulitiple groups to access the system should the need ever arise. For the local users, that is outside sssd for the most part, look at your pam configs and nsswitch.
> On June 10, 2020 at 5:42 AM "Sangster, Mark" <m.v.sangs...@abdn.ac.uk> wrote: > > > Hello, > > I was attempting to utilise the AD provider for access control, however I > cannot make it work with members of nested groups. i.e. when using the > LDAP_MATCHING_RULE_IN_CHAIN. > > This functions: > > access_provider = ldap > ldap_sasl_authid = SERVER$@DOMAIN > ldap_access_filter = > (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN) > > This doesn’t: > > access_provider = ad > ad_access_filter = > (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN) > > Have I missed anything? > > It would also be useful if it is possible to allow local users access > alongside the remote users. e.g. allow both “domain_account” and > “local_account” access. Is that possible? > > Thanks > Mark > > ------------------------------------------------------------------------ > Mark Sangster > Server Infrastructure Specialist > > Information Technology Services | University of Aberdeen > t: +44 (0)1224 27-3315 | e: mailto:m...@abdn.ac.uk | u: > http://www.abdn.ac.uk/it/ > > > The University of Aberdeen is a charity registered in Scotland, No SC013683. > Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. > SC013683. > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
