On 05/30/2013 06:52 PM, Chandan Kumar wrote:
> Hello,
>
> As part of migration from passwd/shadow to IPA, I want to roll out
> IPA/SSSD based password first for a small number of users and then for
> all. (same goes with host. first small number of host and then all).
>
> I was trying to limit it using max_id/min_id parameters in sssd but it
> does not seems to work the way I expected.
> -------
> min_id = 5000
> max_id = 5100
> ------
> So there is a user "kchandan" with UID/GID 20000
> ------
> [root@tipa1 ~]# id kchandan
> uid=20000(kchandan) gid=20000 groups=20000
> -------
>
> But It is allowing me to login with that ID with only error showing
> GID 20000 not found.
> -----------
> ssh 10.2.3.105 -l kchandan
> kchandan@10.2.3.105 <mailto:kchandan@10.2.3.105>'s password: 
> id: cannot find name for group ID 20000
> -------------
>
> Is there any way to achieve this?

So you want to allow only a subset of users with a specific range to log
into the systems controlled by SSSD before you open it to a broader public?
I would defer to SSSD gurus but the hack that comes to mind is to
configure a simple access provider to limit the access to just the users
you care about (man sssd-simple) or configure ldap access provider based
on a filter (man sssd-ldap).

>
> Thanks
> Chandan
>
>
> -- 
>
> --
> http://about.me/chandank
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to