On Thu, Dec 06, 2018 at 10:59:04AM -0000, Stijn De Weirdt wrote:
> hi all,
>
> we are using ipa as id_provider/access_provider/auth_provider for a domain,
> and we want to somehow completely hide users that are disabled in ipa. for
> now, disabled users are still known on the hosts (eg "getent passwd userxyz"
> works and gives the correct userid). we would like that eg "getent passwd
> userxyz" returns nothing (in particular we want that that userid can't start
> any new process anymore, and that the nfs mounts show that files the belong
> to the disabled user show up as owned by nobody etc etc.
>
> is there any way to filter these users? perhaps some config setting i
> overlooked, or some ldap filter i can use?
If by disabled users you mean calling 'ipa user-disable' and e.g. not
locking our after login attempts, then I guess a variant of:
ldap_user_search_base = cn=accounts,dc=ipa,dc=test?sub?(nsaccountlock=false)
just using your search base might work.
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
