Thanks a lot for the answer. I commented out ldap_access_filter. I suppose with flush you mean 'sss-cache -E'. I did it. But it did not help. The ldap entry of a user who can log in and should not be able to is below. Note: The host 'another-node' is a different computer than the CentOS 7 to which the USER1 can login but should not be able to. Even without the host attribute he can login. Thank you, ulrich # extended LDIF # # LDAPv3 # base <ou=XXXX,o=YYYY> with scope subtree # filter: uid=USER1 # requesting: ALL # # USER1, XXXX, YYYY dn: uid=USER1,ou=XXXX,o=YYYY accountStatus: active objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: ibm-auxAccount objectClass: qmailUser objectClass: sambaSamAccount uid: USER1 uidNumber: **** shadowFlag: 0 shadowInactive: -1 gidNumber: *** shadowMin: -1 shadowMax: 999999 homeDirectory: /home/USER1 sn: USER1 mail: USER1 at my.doma.in mailHost: lmtp:unix:/var/lib/imap/socket/lmtp shadowWarning: 7 sambaSID: ***************************************** shadowExpire: -1 mailAlternateAddress: USER1a cn: surname lastname gecos: surname lastname loginShell: /bin/bash host: another-node On 02/24/2015 01:06 AM, Gordon Messmer wrote: > On 02/23/2015 03:59 AM, Ulrich Hiller wrote: >> >> /etc/sssd/sssd.conf: >> [domain/default] >> access_provider = ldap >> ldap_access_filter = memberOf=ou=YYYY,o=XXXX >> ldap_access_order = host > > Because ldap_access_order doesn't include "filter", ldap_access_filter > will not be used. You can remove that. > > Aside from that, it would be helpful to see the entry for one of the > users who can log in and should not be able to. > > Make sure you flush the cache before testing. > >> /etc/ldap.conf: > > I don't think that file is relevant. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos