On Sat, Sep 14, 2019 at 11:57:09AM +0200, Hinrikus Wolf wrote:
Hi,
On 12.09.19 21:30, Lukas Slebodnik wrote:
man sssd-ad says: NOTES The AD access control provider checks if the account is expired. It has the same effect as the following configuration of the LDAP provider:
access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad However, unless the “ad” access control provider is explicitly configured, the default access provider is “permit”. Please note that if you configure an access provider other than “ad”, you need to set all the connection parameters (such as LDAP URIs and encryption details) manually.
So using *access_provider = ad* should be enough for blocking expired/disabled users. Even without modification of ldap_search_base
Thanks. This is not our issue. The issue is that disabled users are present for PAM, and so postfix accept emails from disabled users.
Hi,
I guess you mean that the users are still available for nss, i.e they can be looked up with 'getent passwd username'?
I think you didn't answer if you already tried to run the search filter with '!(userAccountControl:1.2.840.113556.1.4.803:=2)' manually with the ldapsearch command. This is important to understand if the search filter does not work at all or SSSD does not handle it properly.
bye, Sumit
But may be it is not posible?
Best regards Rikus
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Hinrikus Wolf
Fachschaft Mathematik/Physik/Informatik an der RWTH Aachen
Telefon: Karmanstr: +49 241 80 94506 Infozentrum: +49 241 80 26741 fs@fsmpi.rwth-aachen.de https://www.fsmpi.rwth-aachen.de _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...