Ah, apologies, I'd missed the inability to define an LDAP group. Coul you perhaps consider not restricting it within SSSD, and use a pam group restriction and a local group?
John -- John Hodrien (he/him) Principal Teaching and Research Support Specialist, School of Computer Science 2.22 Bragg Building, University of Leeds ________________________________ From: Tomas Halman <thal...@redhat.com> Sent: 15 September 2025 13:57 To: End-user discussions about the System Security Services Daemon <sssd-users@lists.fedorahosted.org> Cc: frank rust <f.r...@tu-braunschweig.de>; John Hodrien <j.h.hodr...@leeds.ac.uk> Subject: Re: [SSSD-users]Re: Simple question ? CAUTION: External Message. Use caution opening links and attachments. I would say that with this number of users manual managing filters or simple_allow_* lists is really not sustainable and error prone. Maybe you can reverse the condition? Is there anything that can distinguish those two sets of users? Or is it really a random set? Tomáš On Fri, Sep 12, 2025 at 2:14 PM John Hodrien via sssd-users <sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>> wrote: I would think about whether you're wanting to filter visibility and knowledge of users, or simply filter access to be able to use the machine. Thinks like simple_allow_users / simple_allow_groups would likely be a much simpler method to restrict access, if you're content with user/group information being available to the machine, and just want to restrict access. man sssd-simple for that. John ________________________________ From: frank rust via sssd-users <sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>> Sent: 12 September 2025 13:02 To: sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org> <sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>> Cc: frank rust <f.r...@tu-braunschweig.de<mailto:f.r...@tu-braunschweig.de>> Subject: [SSSD-users]Simple question ? CAUTION: External Message. Use caution opening links and attachments. Hi all, I am new to this list. So if this is a common question, I apologise in advance. I have to filter the access to a system to allow several hundred users out of a ldap server with several 10 thousands of users. How would I do this? I think the way to define a simple filter line ``` ldap_user_search_filter = ( | (uid=user_1)(uid=user_2)(uid=user_7470)(...) ) ``` is not possible for the amount of users. I have no possibility to create a new group in ldap or add anything else, I only have read access. What can I do? Thanks in advance Frank -- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org<mailto:sssd-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=05%7C02%7Cj.h.hodrien%40leeds.ac.uk%7Cac877d963bbe4f7e783208ddf1f43ed0%7Cbdeaeda8c81d45ce863e5232a535b7cb%7C0%7C0%7C638932753520352971%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=NHZGKHtB9V%2FsADQYo77ej2r6JbHjo2UE%2FDiErvneiN0%3D&reserved=0<https://docs.fedoraproject.org/en-US/project/code-of-conduct/> List Guidelines: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=05%7C02%7Cj.h.hodrien%40leeds.ac.uk%7Cac877d963bbe4f7e783208ddf1f43ed0%7Cbdeaeda8c81d45ce863e5232a535b7cb%7C0%7C0%7C638932753520384915%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=OUm7AhrnC0wotXW5dmf%2BJO91j7Qmu8b89k5xm82xFVs%3D&reserved=0<https://fedoraproject.org/wiki/Mailing_list_guidelines> List Archives: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org&data=05%7C02%7Cj.h.hodrien%40leeds.ac.uk%7Cac877d963bbe4f7e783208ddf1f43ed0%7Cbdeaeda8c81d45ce863e5232a535b7cb%7C0%7C0%7C638932753520402261%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Y1LLlNOtZXzT5y7Dd9sliQ599bNylDFgS6u8FWu1clM%3D&reserved=0<https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org> Do not reply to spam, report it: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure%2Fnew_issue&data=05%7C02%7Cj.h.hodrien%40leeds.ac.uk%7Cac877d963bbe4f7e783208ddf1f43ed0%7Cbdeaeda8c81d45ce863e5232a535b7cb%7C0%7C0%7C638932753520417992%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=6OrtcMNWxjtoEEXw0nRf6HNDGpMi6MqIM%2BtqLlPEp8U%3D&reserved=0<https://pagure.io/fedora-infrastructure/new_issue> -- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org<mailto:sssd-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- Tomáš Halman
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
