[SSSD-users] Re: filter out disabled ipa user

thanks jakub, we'll give this a try stijn On 12/10/18 9:33 AM, Jakub Hrozek wrote: > On Thu, Dec 06, 2018 at 10:59:04AM -0000, Stijn De Weirdt wrote: >> hi all, >> >> we are using ipa as id_provider/access_provider/auth_provider for a domain, and we want to somehow completely hide users that are disabled in ipa. for now, disabled users are still known on the hosts (eg "getent passwd userxyz" works and gives the correct userid). we would like that eg "getent passwd userxyz" returns nothing (in particular we want that that userid can't start any new process anymore, and that the nfs mounts show that files the belong to the disabled user show up as owned by nobody etc etc. >> >> is there any way to filter these users? perhaps some config setting i overlooked, or some ldap filter i can use? > > If by disabled users you mean calling 'ipa user-disable' and e.g. not > locking our after login attempts, then I guess a variant of: > > ldap_user_search_base = cn=accounts,dc=ipa,dc=test?sub?(nsaccountlock=false) > > just using your search base might work. > _______________________________________________ > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste... >