On Thu, Dec 06, 2018 at 10:59:04AM -0000, Stijn De Weirdt wrote:
we are using ipa as id_provider/access_provider/auth_provider for a domain, and we want
to somehow completely hide users that are disabled in ipa. for now, disabled users are
still known on the hosts (eg "getent passwd userxyz" works and gives the correct
userid). we would like that eg "getent passwd userxyz" returns nothing (in
particular we want that that userid can't start any new process anymore, and that the
nfs mounts show that files the belong to the disabled user show up as owned by nobody etc
is there any way to filter these users? perhaps some config setting i overlooked, or
some ldap filter i can use?
If by disabled users you mean calling 'ipa user-disable' and e.g. not
locking our after login attempts, then I guess a variant of:
ldap_user_search_base = cn=accounts,dc=ipa,dc=test?sub?(nsaccountlock=false)
just using your search base might work.