How to restrict certain users or groups on client authenticating with sssd

Solution Unverified - Updated -

Issue

  • How do I restrict certain users or groups on client authenticating with sssd ?
  • We have several systems that are ldap-enabled via sssd and function fine with the exception that in several cases (test machines for the most part) there are account(s) that are defined both locally on the system as well as within ldap. This largely functions correctly except that the password for the ldap account is accepted for user login. Is there a way to adjust pam to only utilize pam_unix.so if a local user is defined, otherwise consult the directory? /etc/pam.d/password-auth is included below:
    Only accept local password in pam even if defined in ldap.

Environment

  • Red Hat Enterprise Linux 6/7
  • sssd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content