For simple access provider, is there a way to configure it to deny every user from the domain(LDAP) by using some combinations of simple_allow_* and simple_deny_* ? 

I'm developing a base sssd configuration for the users to modify, right now the default is:

simple_allow_group = (empty string here)

This will allow everyone to login, but I want to keep the default config to deny every user from LDAP considering security. 

Thanks,

Aaron