Hi,
thanks for your answer.
I have implemented the ldap_saerch_base. But the disabled users are still listed in
getent passwd
That means they are present for PAM.
Any other ideas?
Best regards Rikus
James Ralston ralston@pobox.com hat am 12. September 2019 00:08 geschrieben:
On Wed, Sep 11, 2019 at 3:05 PM Hinrikus Wolf hinrikus@fsmpi.rwth-aachen.de wrote:
ldap_search_base = dc=fsmpi,dc=rwth-aachen,dc=de?subtree?(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Putting an (objectClass=user) filter in ldap_search_base will exclude all groups, as ldap_search_base is used for both user and group queries.
A modified version of your filter works just fine for us:
ldap_search_base = dc=example,dc=org?subtree?(&(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
This successfully excludes computer objects and terminated objects.
As Jakub said, you can use ldapsearch to test your filter. E.g.:
$ ldapsearch \ -z 0 \ -E pr=2147483647/noprompt \ -o ldif-wrap=no \ -L \ -L \ -H 'ldap:///dc%3Dexample%2Cdc%3Dorg' \ -Y GSSAPI \ -b "dc=example,dc=org" \ "(&(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" \ dn _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...