Ah, apologies, I'd missed the inability to define an LDAP group. Coul you perhaps consider not restricting it within SSSD, and use a pam group restriction and a local group?
John -- John Hodrien (he/him) Principal Teaching and Research Support Specialist, School of Computer Science 2.22 Bragg Building, University of Leeds ________________________________ From: Tomas Halman <[email protected]> Sent: 15 September 2025 13:57 To: End-user discussions about the System Security Services Daemon <[email protected]> Cc: frank rust <[email protected]>; John Hodrien <[email protected]> Subject: Re: [SSSD-users]Re: Simple question ? CAUTION: External Message. Use caution opening links and attachments. I would say that with this number of users manual managing filters or simple_allow_* lists is really not sustainable and error prone. Maybe you can reverse the condition? Is there anything that can distinguish those two sets of users? Or is it really a random set? Tomáš On Fri, Sep 12, 2025 at 2:14 PM John Hodrien via sssd-users <[email protected]<mailto:[email protected]>> wrote: I would think about whether you're wanting to filter visibility and knowledge of users, or simply filter access to be able to use the machine. Thinks like simple_allow_users / simple_allow_groups would likely be a much simpler method to restrict access, if you're content with user/group information being available to the machine, and just want to restrict access. man sssd-simple for that. John ________________________________ From: frank rust via sssd-users <[email protected]<mailto:[email protected]>> Sent: 12 September 2025 13:02 To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Cc: frank rust <[email protected]<mailto:[email protected]>> Subject: [SSSD-users]Simple question ? CAUTION: External Message. Use caution opening links and attachments. Hi all, I am new to this list. So if this is a common question, I apologise in advance. I have to filter the access to a system to allow several hundred users out of a ldap server with several 10 thousands of users. How would I do this? I think the way to define a simple filter line ``` ldap_user_search_filter = ( | (uid=user_1)(uid=user_2)(uid=user_7470)(...) ) ``` is not possible for the amount of users. I have no possibility to create a new group in ldap or add anything else, I only have read access. What can I do? Thanks in advance Frank -- _______________________________________________ sssd-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=05%7C02%7Cj.h.hodrien%40leeds.ac.uk%7Cac877d963bbe4f7e783208ddf1f43ed0%7Cbdeaeda8c81d45ce863e5232a535b7cb%7C0%7C0%7C638932753520352971%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=NHZGKHtB9V%2FsADQYo77ej2r6JbHjo2UE%2FDiErvneiN0%3D&reserved=0<https://docs.fedoraproject.org/en-US/project/code-of-conduct/> List Guidelines: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=05%7C02%7Cj.h.hodrien%40leeds.ac.uk%7Cac877d963bbe4f7e783208ddf1f43ed0%7Cbdeaeda8c81d45ce863e5232a535b7cb%7C0%7C0%7C638932753520384915%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=OUm7AhrnC0wotXW5dmf%2BJO91j7Qmu8b89k5xm82xFVs%3D&reserved=0<https://fedoraproject.org/wiki/Mailing_list_guidelines> List Archives: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org&data=05%7C02%7Cj.h.hodrien%40leeds.ac.uk%7Cac877d963bbe4f7e783208ddf1f43ed0%7Cbdeaeda8c81d45ce863e5232a535b7cb%7C0%7C0%7C638932753520402261%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Y1LLlNOtZXzT5y7Dd9sliQ599bNylDFgS6u8FWu1clM%3D&reserved=0<https://lists.fedorahosted.org/archives/list/[email protected]> Do not reply to spam, report it: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure%2Fnew_issue&data=05%7C02%7Cj.h.hodrien%40leeds.ac.uk%7Cac877d963bbe4f7e783208ddf1f43ed0%7Cbdeaeda8c81d45ce863e5232a535b7cb%7C0%7C0%7C638932753520417992%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=6OrtcMNWxjtoEEXw0nRf6HNDGpMi6MqIM%2BtqLlPEp8U%3D&reserved=0<https://pagure.io/fedora-infrastructure/new_issue> -- _______________________________________________ sssd-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- Tomáš Halman
-- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
