[Freeipa-users] Active Directory Trust = filter users

[Alexander Bokovoy]

On Wed, 10 Feb 2016, Winfried de Heiden wrote:
>Hi all,
>
>"hy are you concerned about this in the first place? "
>
>It started from a practical point of view: if one is using the DC of the Office
>Automation, Ad users will get all sorts of AD groups I am never going to use.
>so why do I want to see them anyway? My screen get's a bit messy as for
>"user at ad.example.com"  when this user belongs tot 25 or something groups... It
>would be nice to hide these...
>
>Can I blacklist some of the groups? (Trusts  --> ad.example.com --> Settings)
>by using the SID?
Yes, you can filter out certain SIDs at the KDC side by using settings
of the trust. Theoretically, SSSD would need to remove the group
membership for groups not existing in the MS-PAC.


-- 
/ Alexander Bokovoy