We are using an LDAP server with both Solaris and RHEL servers and planning to migrate more servers over to RHEL. However we have an issue with LDAP on all Red Hat servers.
When I type "getent passwd", all users on the entire LDAP Server are shown, instead of only the users that have access to this server. Normally about 10 to 50 people have access to a server, so Solaris prints out this list of users, while Red Hat flat out prints out a list of all users that exist in the LDAP (about 650).
I prefer the behavior as on Solaris, where only the users that have permission to access the server are listed with "getent passwd".
How can I configured RHEL to list only the users that have access to the server?
Best Answer
You're restricting access in
/etc/security/access.conf, which while it controls who can access the server has no impact on what users are visible to the server. This is generally what you want: even if useraliceis unable to log into the server, if she owns files on a shared filesystem I want to see:Instead of:
That is, I want the system to know about users even if they aren't able to log into the system.
If you want to restrict the set of users visible to the system, you'll need to configure the NSS subsystem to implement some sort of LDAP filter. How you do that depends on what tools you're using:
user993553 mentions
nss_ldap, which is the legacy tool for integrating with LDAP.Some newer distributions use SSSD, which includes an
ldap_service_search_baseparameter in theLDAPmodule,The
nslcdprogram hasfilteroption that can be applied to each mapWhich mechanism you use depends on what version of RHEL you're running: RHEL 6 has both
nslcdandsssd(I'm usingnslcd), while earlier versions I think are limited tonss_ldap.