1

I am using ldap_access_filter in sssd.conf in order to limit access to users that are in a specific ldap group. However, when I do a "getent passwd" I still get a full list of the ldap users.

How can I limit the output to only the users of this specific group (preferably with SSSD)?

Cobra Kai Dojo
  • 447
  • 2
  • 6
  • 21

1 Answers1

3

The only option to achieve this is to create an LDAP filter string to be used by the ldap_user_search_base config parameter (syntax: search_base[?scope?[filter][?search_base?scope?[filter]]*]).

This must be a valid RFC 2254 filter, and will likely somehow incorporate your ldap_access_filter into the ldap_user_search_base.

The reason for this is that applying the access filter is a second step after checking if an account exists, which will not be done by getent.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • 2
    More specifically, it's a check implemented by the PAM module which has nothing to do with NSS. (which `getent` consults) – Andrew B May 27 '15 at 16:24
  • I used the ldap_user_search_base successfully (incorporated my memberOf filter) but I still get a complete list of users with getent passwd. Any clues? – Cobra Kai Dojo May 27 '15 at 17:27
  • 1
    Make sure to remove the cache and restart sssd after implemeting the filter. – jhrozek May 27 '15 at 19:37
  • I have deleted the files in /var/lib/sss/db/, also the cache_credentials is set to false and the nscd is stopped. Maybe is something wrong with my /etc/ldap.conf and /etc/openldap/ldap.conf settings? (I am using SUSE) – Cobra Kai Dojo May 27 '15 at 23:32
  • I checked today and the extra entries were gone, even though I deleted / disabled all the cache yesterday... Probably I missed something. Anyway, now it works.Thanks for your help people =) – Cobra Kai Dojo May 28 '15 at 10:08
  • Regarding the cache: Deleting the cache should work with `sss_cache -U` (invalidate all users). If you have `nscd` running alongside, you might need to invalidate that cache as well (`nscd -i passwd`). – Sven May 28 '15 at 10:33