I'm a complete newcomer to sssd, lured by the promise of caching credentials. I've played with it for about 3 hours now (on RHEL6) and so far all is going great but I've come up against a problem:
I have a bunch of people in my ldap who belong to various groups but not all of them have access to individual servers. So, I'd like to disallow their logging in to my hosts. Previously we set /etc/security/access.conf to exclude the groups in question, and really that wasn't a great solution because I'd set allow and deny for each group. I can do the same thing in effect in sssd by filtering the groups I don't want to allow to log in, but, really I would like to set the people I want to allow login instead.
Now I figure I can do this in pam.d somehowby requiring it to look at access.conf rather than going with the default example which gets around this, but really, I'd prefer not to stray too far of the beaten pam.d track. and washoping that I'm just missing some simple setting in sssd.conf.
Any thoughts on how I can achieve this easily, or if this is a pam thing, where I can find some information about this. I've not had a lot of luck finding much sssd related things and RHEL and sssd's guides are lacking the depth I seek (or I'm just blind
Any help appreciated!