On Sat, Sep 14, 2019 at 11:57:09AM +0200, Hinrikus Wolf wrote: > Hi, > > On 12.09.19 21:30, Lukas Slebodnik wrote: > > > > > man sssd-ad says: > > NOTES > > The AD access control provider checks if the account is expired. It > > has > > the same effect as the following configuration of the LDAP provider: > > > > access_provider = ldap > > ldap_access_order = expire > > ldap_account_expire_policy = ad > > > > However, unless the “ad” access control provider is explicitly > > configured, the default access provider is “permit”. Please note that > > if you configure an access provider other than “ad”, you need to set > > all the connection parameters (such as LDAP URIs and encryption > > details) manually. > > > > > > So using *access_provider = ad* should be enough for blocking > > expired/disabled > > users. Even without modification of ldap_search_base > Thanks. This is not our issue. The issue is that disabled users are > present for PAM, and so postfix accept emails from disabled users.
Hi, I guess you mean that the users are still available for nss, i.e they can be looked up with 'getent passwd username'? I think you didn't answer if you already tried to run the search filter with '!(userAccountControl:1.2.840.113556.1.4.803:=2)' manually with the ldapsearch command. This is important to understand if the search filter does not work at all or SSSD does not handle it properly. bye, Sumit > > But may be it is not posible? > > Best regards > Rikus > > > > > LS > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > -- > Hinrikus Wolf > > Fachschaft Mathematik/Physik/Informatik > an der RWTH Aachen > > Telefon: > Karmanstr: +49 241 80 94506 Infozentrum: +49 241 80 26741 > [email protected] https://www.fsmpi.rwth-aachen.de > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
