I'm trying to use chef to add/modify a few local user accounts. For whatever reason there are duplicate accounts in LDAP. Since the system uses sssd/pam/ldap, it sees the user as existing, but is unable to modify them because they are not in /etc/passwd.
Is there a way to completely bypass the ldap accounts so that they do not id? Then Chef will create them properly.
There is an option in the ldap configuration to ignore ldap lookups for certain user ids. In
/etc/ldap.conf
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
There is also this configuration value in the sssd config file
filter_users, filter_groups (string) Exclude certain users from being fetched from the sss NSS database. This is particularly useful for system accounts. This option can also be set per-domain or include fully-qualified names to filter only users from the particular domain. Default: root
