thanks jakub,
we'll give this a try
stijn
On 12/10/18 9:33 AM, Jakub Hrozek wrote:
> On Thu, Dec 06, 2018 at 10:59:04AM -0000, Stijn De Weirdt wrote:
>> hi all,
>>
>> we are using ipa as id_provider/access_provider/auth_provider for a domain, and
we want to somehow completely hide users that are disabled in ipa. for now, disabled users
are still known on the hosts (eg "getent passwd userxyz" works and gives the
correct userid). we would like that eg "getent passwd userxyz" returns nothing
(in particular we want that that userid can't start any new process anymore, and that
the nfs mounts show that files the belong to the disabled user show up as owned by nobody
etc etc.
>>
>> is there any way to filter these users? perhaps some config setting i
overlooked, or some ldap filter i can use?
>
> If by disabled users you mean calling 'ipa user-disable' and e.g. not
> locking our after login attempts, then I guess a variant of:
>
> ldap_user_search_base = cn=accounts,dc=ipa,dc=test?sub?(nsaccountlock=false)
>
> just using your search base might work.
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>