On (12/09/19 18:49), Hinrikus Wolf wrote:
>Hi,
>
>thanks for your answer.
>
>I have implemented the ldap_saerch_base. But the disabled users are still
>listed in
>> getent passwd
>That means they are present for PAM.
>
>Any other ideas?
>
man sssd-ad says:
NOTES
The AD access control provider checks if the account is expired. It has
the same effect as the following configuration of the LDAP provider:
access_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy = ad
However, unless the “ad” access control provider is explicitly
configured, the default access provider is “permit”. Please note that
if you configure an access provider other than “ad”, you need to set
all the connection parameters (such as LDAP URIs and encryption
details) manually.
So using *access_provider = ad* should be enough for blocking expired/disabled
users. Even without modification of ldap_search_base
LS
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
