Interesting, thanks. I had tried the simple provider but this didn't restrict access. Since the docs noted that it didn't honor the "expired" expired attribute I didn't look into it any closer. I'll try this again and look through debug logs to see where it broke down; potentially my groups aren't being resolved yet. Are you saying that the simple provider iterates group membership, which in turn SSSD-LDAP should be returning?
-nik -----Original Message----- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Thursday, November 23, 2017 2:47 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: ad_access_filter question On Wed, Nov 22, 2017 at 07:56:57PM +0000, Conwell, Nik wrote: > Hi all, I'm jumping in to using sssd-ad here at BU. I'm able to domain join > a CentOS7 and pull our AD entries successfully but am having troubles with > ad_access_filter to restrict access to a group. > > Due to FERPA restrictions here, we can't query memberOf for random people via > a machine account, so things like: > > ad_access_filter = > (memberOf=CN=group-of-admins,OU=XYZ,DC=blah,DC=blah,DC=blah) > > won't work. I see from debug level 7 that this translates into a query like: [snip] Would: access_provider = simple simple_allow_groups = group-of-admins do the trick for you? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org