On 05/05/2015 03:02 AM, Ulrich Hiller wrote: > /etc/openldap/ldap.conf contains the line: > ------------------------------------------ > pam_check_host_attr yes /etc/openldap/ldap.conf is the configuration file for openldap clients. It is not used for system authentication or name service. > 'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf > is a softlink to that file. Those two files have completely different syntax and are used by different software. Don't symlink them. > /etc/sssd/sssd.conf: > -------------------- If you're using sssd, then you're not using (or shouldn't be using) the PADL nss module. In that case, /etc/ldap.conf shouldn't even be present. > [domain/default] > access_provider = ldap > ldap_access_filter = memberOf=ou=YYYY,o=XXXX > ldap_access_order = host ldap_access_filter should be an LDAP filter, not an OU. However, it's only used when ldap_access_order=filter. When using ldap_access_order=host, it should not be present. > in /etc/nscd.conf: nscd is also not used when using sssd. > /etc/nsswitch.conf: > ................... > passwd: files sss ldap > shadow: files sss ldap > group: files sss ldap This is wrong. Don't use sss and ldap together. It's redundant. At best it will cause performance problems. Get rid of the ldap module and see if the system starts working correctly with just sssd. It's possible that right now sssd is correctly filtering users, but the PADL ldap module is providing them.