Comments 3 Posted In Red Hat Enterprise Linux Atomic Host SSSD ignoring ldap_acccess_filter parameter Latest response 2019-12-12T12:00:34+00:00 When I try Login Whit a Ldap User any user ir permitted, seems to ignore the ldap_access_filter option and allows all users to login ES Started 2019-12-09T23:31:29+00:00 by Enrique Suarez del Real Newbie 12 points Log in to join the conversation Responses Sort By Oldest Sort By Newest KM Red Hat Community Member 67 points 10 December 2019 1:26 PM Kevin Myers Hi Enrique, Have a look at this article How to restrict certain users or groups on client authenticating with sssd . There are different options to limit this depending on your environment. Using the sssd.conf to include the line access_provider = ldap then the ldap_access_filter option should be a valid filter. Try to test the filter for instance using ldapsearch to ensure that it matches as expected. One other note on this, depending on ordering in PAM stack the sssd may be skiped in the PAM account section. ldap_access_filter being ignored during authentication Hope these help. ES Newbie 12 points 11 December 2019 7:08 PM Enrique Suarez del Real Thanks for your response, I am review my configuration, and I atach the configuration files: cat /etc/sssd/sssd.conf [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam, ssh, autofs debug_level = 0x3ff0 debug_level = 9 [nss] override_homedir = /home/%u default_shell = /bin/bash create_homedir = true [pam] [domain/ mydomain.com] debug_level = 0x3ff0 debug_level = 5 ad_domain = mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = true use_fully_qualified_names = True fallback_homedir = /home/%u access_provider = ad ldap_search_base = dc=mydomain,dc=com ldap_access_filter = (memberOf = cn=usersallowedpermitted,ou=Users_linux,ou=,dc=mydomain,dc=com) file /etc/pam.d/password-auth account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so When I try Login with a Ldap user any user is abble to login in my servers. Regards Enrique KM Red Hat Community Member 67 points 12 December 2019 12:00 PM Kevin Myers Hi Enrique, The configuration shows access_provider = ad, for this look at options for ad_access_filter. The man page for sssd-ad has some filter examples you can reference. For an AD access provider, use the ad_access_filter option. See the sssd-ad(5) man page for details. sssd documentation here provides information on both the ldap-access-filter as well as the AD filter.