Hi, You could have a look into /etc/security/access.conf. Perhaps that's what you are looking for... Cheers, mathias 2015-07-16 12:07 GMT+02:00 Ondrej Valousek <Ondrej.Valousek(a)s3group.com&gt;:

Well, can we use HBAC with AD backend? Don’t think so…. O. From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Dmitri Pal Sent: 16 July 2015 16:05 To: sssd-users(a)lists.fedorahosted.org Subject: Re: [SSSD-users] Reject new users form logging in On 07/16/2015 06:07 AM, Ondrej Valousek wrote: Hi List, We I know I am probably crying at the wrong grave – but I’ll give it a try anyway ☺: Does anyone know if I can somehow prevent new users from logging in to a certain machine? We have a logon server here with SSSD which needs a maintenance. I know there is pam_nologin, but I still need to allow users with disconnected NX sessions there to connect and properly terminate those. What kind of central access control you use? You can set something in your LDAP if you use LDAP based access control or change HBAC rules if you use IPA. Thanks, Ondrej ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com<mailto:communications@s3group.com>. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/sssd-users -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.

On 07/16/2015 10:24 AM, Lukas Slebodnik wrote: But you can also use the basic LDAP based access control that relies on a filter. See sssd-ldap. Search for "filter". There are some restrictions though. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc.

On 07/16/2015 10:46 AM, Ondrej Valousek wrote: It is in sssd 1.12. But it is disabled by default you need to configure it anyways. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc.