Using sssd ldap access filter DENY based on group?

Question

I am currently using sssd.conf to only allow login for ldap users that are in a specific group.

I would like to do the opposite and DENY login based on group membership of a user, while allowing all other users that are NOT members of said group to login.

Is this possible? My current config that ALLOWS based on group looks like this

access provider = ldap
ldap_access_filter = (|(location=secure)(location=sysadm))

I would like to basically do something like below (location not equal to)

ldap_access_filter != (|(location=secure)(location=sysadm))

score 1 · Accepted Answer · edited Oct 10 '18 at 00:33

1

The ldap filter that will do as you describe (prevent access from users with location set to either of those values) is:

ldap_access_filter = (!(|(location=secure)(location=sysadm)))

edited Oct 10 '18 at 00:33

Edgar Sampere

85
1
9

answered Nov 21 '14 at 10:33

Andy

1,111
1
7
10

If you are managing access based on group membership that is any more complex I recommend using pam_access.so and populating /etc/security/access.conf – Andy Nov 21 '14 at 10:36

Using sssd ldap access filter DENY based on group?

1 Answers1