thanks jakub, we'll give this a try
stijn On 12/10/18 9:33 AM, Jakub Hrozek wrote: > On Thu, Dec 06, 2018 at 10:59:04AM -0000, Stijn De Weirdt wrote: >> hi all, >> >> we are using ipa as id_provider/access_provider/auth_provider for a domain, >> and we want to somehow completely hide users that are disabled in ipa. for >> now, disabled users are still known on the hosts (eg "getent passwd userxyz" >> works and gives the correct userid). we would like that eg "getent passwd >> userxyz" returns nothing (in particular we want that that userid can't start >> any new process anymore, and that the nfs mounts show that files the belong >> to the disabled user show up as owned by nobody etc etc. >> >> is there any way to filter these users? perhaps some config setting i >> overlooked, or some ldap filter i can use? > > If by disabled users you mean calling 'ipa user-disable' and e.g. not > locking our after login attempts, then I guess a variant of: > > ldap_user_search_base = > cn=accounts,dc=ipa,dc=test?sub?(nsaccountlock=false) > > just using your search base might work. > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org