Thank you for your suggestions. I've got it working after realized that the problem were in AD DN plugin where addn_filter was set to evaluate only nsAccount as objectClass. However your PAM config looks better and i must confess, i am not a PAM guru. I will explore better this topic. Regarding my second question, reported here: i think it would be better to sync AD user that belongs to specific AD Group in order to have more control over it instead of defining a specific OU. I've seen a page which reports the existence of "Support Filters": https://directory.fedoraproject.org/docs/389ds/design/winsync-rfe.html#2-support-filters-1 And it says: new config parameters in windwows sync agreement: winSyncWindowsFilter: additional_filter_on_AD winSyncDirectoryFilter: additional_filter_on_DS Example: winSyncWindowsFilter: (|(cn=*user*)(cn=*group*)) winSyncDirectoryFilter: (|(uid=*user*)(cn=*group*)) Anyway it is not clear if my installed version support this feature 389-Directory/1.4.4.11 B2021.139.1122 Thanks for your support Appreciate _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
