On 05/12/2015 11:04 PM, m.roth at 5-cent.us wrote: > Ulrich Hiller wrote: >> i thought this too. >> I think this: >> >> access_provider = ldap >> ldap_access_filter = memberOf=host=does-not-exist-host >> ldap_access_order = filter >> ldap_user_authorized_host = host >> >> must confuse sssd so much that it denies login. But the user without >> host attribute can still login. >> > Wait - are you saying that it didn't deny, but now it does? If that's the > case, then you're almost there, just that the condition is backwards (like > sshd_config, with PermitRootLogin Without-Password means that you have to > use a key, not that it permits root to come in without a password.... > > mark No. Sorry for the misunderstanding (i am not a native English speaker). I wanted to say that it still does *not* deny.