On 06/05/2015 10:58 AM, Mayberry, Alexander wrote:
We are currently using legacy ldap, with access.conf to control login rights.
You should be able to continue using access.conf for netgroup filters. The man pages for sssd do not indicate support for access filtering on netgroups, internal to sssd.
ldap_access_filter = (&(objectclass=nisnetgroup)(cn=rhel7satellite6_machine,ou=Machines,ou=Netgroups,dc=ds,dc=west,dc=com))
...
Based on everything I’ve read, the only way to filter on a netgroup of users is to use the “memberof” plugin.
Yes, I believe that would be the only way to do so that would be entirely internal to sssd.
I was hoping to learn from someone with more experience in this area if this is indeed the only way to solve this, or if there might be some way to configure the filter that will work this manner without modifying the directory schema.
I'd recommend keeping access.conf. -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
