On 11/24/17, 8:22 AM, "Jakub Hrozek" <jhro...@redhat.com> wrote:
> On Fri, Nov 24, 2017 at 10:02:15AM +0000, Conwell, Nik wrote: > > The simple access provider looks at user entry itself and their groups in > the sssd cache - unlike the access filter, which is applied against the > entry in the LDAP server. > > So yes, SSSD first resolves the groups during the initgroups operation > and then runs the simple access check on the result. Hi, sorry for the radio silence on this. I took a look at groups available and picked one appropriate for membership and using the simple_allow_groups restricts/enables access as desired. Success! I've also discovered that even though we restrict access to memberOf, there are other fields in AD that are visible for the access filter, so I can do things like: ad_access_filter = (|(department=IT)(manager=CN=myboss,OU=People,DC=blah,DC=blah,DC=com)) to allow access to a department or people who are in my immediate group. Thanks very much for your help Jakub! -nik _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org