On Thu, Sep 12, 2019 at 12:50 PM Hinrikus Wolf hinrikus@fsmpi.rwth-aachen.de wrote:
I have implemented the ldap_saerch_base. But the disabled users are still listed in
getent passwd
That means they are present for PAM.
Not necessarily.
If you did not wipe the sssd cache after you changed the configuration, sssd can still return hits from the cache, even if those entries are no longer in the data provider.
This is probably more than is necessary, but this is how I wipe the cache:
$ systemctl stop sssd.service $ rm /var/lib/sss/db/* /var/lib/sss/mc/* /var/lib/sss/pipes/* \ /var/lib/sss/pipes/private/* /var/lib/sss/pubconf/* \ /var/lib/sss/pubconf/krb5.include.d/* $ systemctl start sssd.service
If you do that, you should only see entries returned if the data provider finds them.