On Fri, Nov 24, 2017 at 10:02:15AM +0000, Conwell, Nik wrote: > Interesting, thanks. I had tried the simple provider but this didn't > restrict access.
Did you look into the logs why it didn't? Did you use a group that showed up in the group list of the "id" command? > Since the docs noted that it didn't honor the "expired" > expired attribute I didn't look into it any closer. Yes, this is unfortunately true. We have a long-standing RFE to allow "chaining" of the access providers, but it's not implemented yet. > I'll try this again and look through debug logs to see where it broke down; > potentially my groups aren't being resolved yet. Are you saying that the > simple provider iterates group membership, which in turn SSSD-LDAP should > be returning? The simple access provider looks at user entry itself and their groups in the sssd cache - unlike the access filter, which is applied against the entry in the LDAP server. So yes, SSSD first resolves the groups during the initgroups operation and then runs the simple access check on the result. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org