Ulrich Hiller wrote: > i thought this too. > I think this: > > access_provider = ldap > ldap_access_filter = memberOf=host=does-not-exist-host > ldap_access_order = filter > ldap_user_authorized_host = host > > must confuse sssd so much that it denies login. But the user without > host attribute can still login. > Wait - are you saying that it didn't deny, but now it does? If that's the case, then you're almost there, just that the condition is backwards (like sshd_config, with PermitRootLogin Without-Password means that you have to use a key, not that it permits root to come in without a password.... mark _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos