On 05/30/2013 06:52 PM, Chandan Kumar wrote: > Hello, > > As part of migration from passwd/shadow to IPA, I want to roll out > IPA/SSSD based password first for a small number of users and then for > all. (same goes with host. first small number of host and then all). > > I was trying to limit it using max_id/min_id parameters in sssd but it > does not seems to work the way I expected. > ------- > min_id = 5000 > max_id = 5100 > ------ > So there is a user "kchandan" with UID/GID 20000 > ------ > [root@tipa1 ~]# id kchandan > uid=20000(kchandan) gid=20000 groups=20000 > ------- > > But It is allowing me to login with that ID with only error showing > GID 20000 not found. > ----------- > ssh 10.2.3.105 -l kchandan > firstname.lastname@example.org <mailto:email@example.com>'s password: > id: cannot find name for group ID 20000 > ------------- > > Is there any way to achieve this?
So you want to allow only a subset of users with a specific range to log into the systems controlled by SSSD before you open it to a broader public? I would defer to SSSD gurus but the hack that comes to mind is to configure a simple access provider to limit the access to just the users you care about (man sssd-simple) or configure ldap access provider based on a filter (man sssd-ldap). > > Thanks > Chandan > > > -- > > -- > http://about.me/chandank > > > > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users