We did some testing on these and while for some reason I botched the syntax
for the filter, we finally got both solutions to work.
It should be noted that the component between the question marks, in this case
"?one?" can take on any one of four values....base|one|sub|children.
In our case we had to use sub or remove that component from the filter to get
this to work as our groups of users are actually each in their own OU's.
Thanks to all that replied.
[mailto:firstname.lastname@example.org] On Behalf Of Stephen Gallagher
Sent: Friday, April 12, 2013 8:46 AM
Subject: Re: [SSSD-users] How to restrict users by GID
-----BEGIN PGP SIGNED MESSAGE-----
On 04/12/2013 08:26 AM, Licause, Al (BCS) wrote:
The following entry into an ldap.conf file on a RHEL V5 system
provides for the ability to limit users
based in their GID values:
Only those users with GID’s of 11001 or 11003 can login. All others
I’ve tried the same filter in sssd.conf on a v6 RHEL system but can’t
seem to get it to work.
It doesn’t cause any syntax errors but it is ignored.
I’ve also tried placing an “=” sign after the nss_base_passwd string
and quoting everything after
the “=” sign….to no avail.
Can anyone explain the sssd syntax for accomplishing this task ?
There are two ways to accomplish what you're asking, depending on what you really
The way that behaved in nss_ldap was that only users whose primaryGID was wither 11001 or
11003 would be *visible* to the system. That means that any other user would not appear
with 'getent passwd username' if they didn't have the right primary GID.
This can be done in sssd with the ldap_user_search_base option:
However, if you want all users to be viewable with 'getent passwd username' but
only some users able to log in, you want to do this instead:
ldap_user_search_base = OU=ldap,DC=mydomain,DC=net?one?
access_provider = ldap
ldap_access_order = filter
ldap_access_filter = (|(gidNumber=11001) (gidNumber=11003))
This will allow the system to "see" all users, but only permit those with that
primary GID to actually log in.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
sssd-users mailing list