<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 05/30/2013 06:52 PM, Chandan Kumar wrote:
<blockquote
cite="mid:CAD=CKMDhH__NuaQZyfN_JZ6vPsiJEFpqPktrvAoZP8MApGEhKA@mail.gmail.com"
type="cite">Hello,
<div><br>
</div>
<div>As part of migration from passwd/shadow to IPA, I want to
roll out IPA/SSSD based password first for a small number of
users and then for all. (same goes with host. first small number
of host and then all).</div>
<div><br>
</div>
<div>I was trying to limit it using max_id/min_id parameters in
sssd but it does not seems to work the way I expected.</div>
<div>-------</div>
<div>
<div>min_id = 5000</div>
<div>max_id = 5100</div>
</div>
<div>
------</div>
<div>So there is a user "kchandan" with UID/GID 20000</div>
<div>
<div>------</div>
<div>[root@tipa1 ~]# id kchandan</div>
<div>uid=20000(kchandan) gid=20000 groups=20000</div>
</div>
<div>-------</div>
<div>
<br>
</div>
<div>But It is allowing me to login with that ID with only error
showing GID 20000 not found.</div>
<div>-----------</div>
<div>
<div>ssh 10.2.3.105 -l kchandan</div>
<div><a moz-do-not-send="true" href="mailto:kchandan@10.2.3.105">kchandan@10.2.3.105</a>'s
password: </div>
<div>id: cannot find name for group ID 20000</div>
</div>
<div>-------------</div>
<div><br>
</div>
<div>Is there any way to achieve this? <br>
</div>
</blockquote>
<br>
So you want to allow only a subset of users with a specific range to
log into the systems controlled by SSSD before you open it to a
broader public?<br>
I would defer to SSSD gurus but the hack that comes to mind is to
configure a simple access provider to limit the access to just the
users you care about (man sssd-simple) or configure ldap access
provider based on a filter (man sssd-ldap).<br>
<br>
<blockquote
cite="mid:CAD=CKMDhH__NuaQZyfN_JZ6vPsiJEFpqPktrvAoZP8MApGEhKA@mail.gmail.com"
type="cite">
<div><br>
</div>
<div>Thanks</div>
<div>Chandan</div>
<br>
<br>
-- <br>
<br>
<div>--</div>
<div><a moz-do-not-send="true" href="http://about.me/chandank"
target="_blank">http://about.me/chandank</a><br>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>