Ldap – Prevent sssd from using ldap to authenticate or id specific users for chef

chefldapsssd

I'm trying to use chef to add/modify a few local user accounts. For whatever reason there are duplicate accounts in LDAP. Since the system uses sssd/pam/ldap, it sees the user as existing, but is unable to modify them because they are not in /etc/passwd.

Is there a way to completely bypass the ldap accounts so that they do not id? Then Chef will create them properly.

Best Answer

There is an option in the ldap configuration to ignore ldap lookups for certain user ids. In

/etc/ldap.conf

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman

There is also this configuration value in the sssd config file

filter_users, filter_groups (string) Exclude certain users from being fetched from the sss NSS database. This is particularly useful for system accounts. This option can also be set per-domain or include fully-qualified names to filter only users from the particular domain. Default: root

Best Answer

Related Solutions

LDAP queries for local users

Ldap – SSSD for LDAP user authentication only (just bind) on Ubuntu, local databases for uid and groups

Related Topic