On 02/23/2015 03:59 AM, Ulrich Hiller wrote: > > /etc/sssd/sssd.conf: > [domain/default] > access_provider = ldap > ldap_access_filter = memberOf=ou=YYYY,o=XXXX > ldap_access_order = host Because ldap_access_order doesn't include "filter", ldap_access_filter will not be used. You can remove that. Aside from that, it would be helpful to see the entry for one of the users who can log in and should not be able to. Make sure you flush the cache before testing. > /etc/ldap.conf: I don't think that file is relevant.