Linux – Using sssd ldap access filter DENY based on group

I work with LDAP, but not that specific brand of server.

First thing I'd try is a search on users pulling all of their attributes instead of restricting it the way your example does.

ldapsearch -xLLL -H ldap://server.domain.net \
    -b "cn=users,dc=server,dc=domain,dc=net" uid=username1 \* +

Often there's a "memberOf" attribute on the user that lists the group name or group DN for groups that a user is in, kept in sync with the information in the group. If that's there, that is the easiest way to do what you want.

The * will grab all user attributes (the default behavior) and the + will grab all operational attributes (special attributes).

The reason why it's not working is because you're not specifying an actual filter. You have to understand what a "filter" is, according to LDAP and SSSD. Here's my own sssd.conf with the filters.

My LDAP access filter is saying if the person logging in has host=servername or host=ALL, they can access that machine.

[domain/default]

ldap_id_use_start_tls = True
cache_credentials = False
ldap_search_base = dc=example,dc=net?sub?|(host=palaceredirect.example.net)(host=ALL)
ldap_group_search_base = ou=Group,dc=example,dc=net
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://library.example.net
ldap_tls_cacertdir = /etc/openldap/cacerts
access_provider = ldap
ldap_access_filter = (|(host=palaceredirect.example.net)(host=ALL))
ldap_schema = rfc2307bis
enumerate = True
autofs_provider = ldap

[sssd]
config_file_version = 2
services = nss, pam, sudo, autofs

domains = default

[nss]

[pam]

[sudo]

[autofs]

You can ignore my search base. The point of that was to allow "enumerate = True" to work effectively for getent passwd.