On Wed, Sep 11, 2019 at 3:05 PM Hinrikus Wolf <hinri...@fsmpi.rwth-aachen.de> wrote:
> ldap_search_base = > dc=fsmpi,dc=rwth-aachen,dc=de?subtree?(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) Putting an (objectClass=user) filter in ldap_search_base will exclude all groups, as ldap_search_base is used for both user and group queries. A modified version of your filter works just fine for us: ldap_search_base = dc=example,dc=org?subtree?(&(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2))) This successfully excludes computer objects and terminated objects. As Jakub said, you can use ldapsearch to test your filter. E.g.: $ ldapsearch \ -z 0 \ -E pr=2147483647/noprompt \ -o ldif-wrap=no \ -L \ -L \ -H 'ldap:///dc%3Dexample%2Cdc%3Dorg' \ -Y GSSAPI \ -b "dc=example,dc=org" \ "(&(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" \ dn _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org