On (12/09/19 18:49), Hinrikus Wolf wrote: >Hi, > >thanks for your answer. > >I have implemented the ldap_saerch_base. But the disabled users are still >listed in >> getent passwd >That means they are present for PAM. > >Any other ideas? >
man sssd-ad says: NOTES The AD access control provider checks if the account is expired. It has the same effect as the following configuration of the LDAP provider: access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad However, unless the “ad” access control provider is explicitly configured, the default access provider is “permit”. Please note that if you configure an access provider other than “ad”, you need to set all the connection parameters (such as LDAP URIs and encryption details) manually. So using *access_provider = ad* should be enough for blocking expired/disabled users. Even without modification of ldap_search_base LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org