我已经配置 sssd 来针对 ldap 进行身份验证,但是我想限制可以连接到服务器的组。
下面的 sssd.conf 允许不属于上述组的用户连接。为什么?
如何确保只有特定组的用户成员可以登录?而其他人则不能。
[sssd]
config_file_version = 2
services = nss, pam
domains = example.com
#debug_level=0x1310
[nss]
filter_users = root
filter_groups = root
[pam]
[domain/example.com]
#debug_level=0x1310
debug_level = 0x3ff0
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
enumerate = true
cache_credentials = false
ldap_tls_reqcert = never
ldap_schema = rfc2307bis
### BIND ###
ldap_default_bind_dn=cn=zLinux LDAP Browser,OU=Technical Accounts,OU=accounts,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = xxxxx
### SERVER ###
ldap_uri = ldaps://dc103.example.com:636
ldap_chpass_uri = ldaps://dc103.example.com:636
ldap_backup_uri = ldaps://dc103.example.com:636
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_connection_expire_timeout = 60
### BASE ###
ldap_search_base = OU=Accounts,DC=example,DC=com
### ATTRIBUTES MAPPING ###
ldap_user_name = sAMAccountName
ldap_user_gecos = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
### GID ACCESS CONTROL ###
access_provider = simple
simple_allow_groups = [email protected]