The LDAP server itself can provide the access control rules. The associated filter option (
ldap_access_filter) specifies which users are granted access to the specified host. The user filter must be used or all users are denied access.
access_provider = ldap
ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
Offline caching for LDAP access providers is limited to determining whether the user's last online login attempt was successful. Users that were granted access during their last login will continue to be granted access while offline.
SSSD can also check results by the account expiration policy and the