On 05/30/2013 06:52 PM, Chandan Kumar wrote:
> As part of migration from passwd/shadow to IPA, I want to roll out
> IPA/SSSD based password first for a small number of users and then for
> all. (same goes with host. first small number of host and then all).
> I was trying to limit it using max_id/min_id parameters in sssd but it
> does not seems to work the way I expected.
> min_id = 5000
> max_id = 5100
> So there is a user "kchandan" with UID/GID 20000
> [root@tipa1 ~]# id kchandan
> uid=20000(kchandan) gid=20000 groups=20000
> But It is allowing me to login with that ID with only error showing
> GID 20000 not found.
> ssh 10.2.3.105 -l kchandan
> email@example.com <mailto:firstname.lastname@example.org>'s password:
> id: cannot find name for group ID 20000
> Is there any way to achieve this?
So you want to allow only a subset of users with a specific range to log
into the systems controlled by SSSD before you open it to a broader public?
I would defer to SSSD gurus but the hack that comes to mind is to
configure a simple access provider to limit the access to just the users
you care about (man sssd-simple) or configure ldap access provider based
on a filter (man sssd-ldap).
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list