<div dir="ltr">If this is only a local account vs LDAP account problem, the solution is to make sure LDAP accounts are never in the same range as local accounts. We have all of our LDAP accounts and groups UID/GID over 1000000. <div>
<br></div><div>If they are both local accounts that you are porting into LDAP.. this gets more difficult. Best but not easiest is probably to force all accounts that will be in LDAP to have new, higher UIDs that won't collide with local, then on each machine chown / chgrp everything to their new uid/gid.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, May 7, 2014 at 9:40 AM, Enrico Morelli <span dir="ltr"><<a href="mailto:morelli@cerm.unifi.it" target="_blank">morelli@cerm.unifi.it</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear,<br>
<br>
I'm porting my working areas authentication on 389-ds. I've nominal<br>
user credential and project credential. So I have user and project<br>
that has the same POSIX ID but different POSIX group and OU.<br>
<br>
EG:<br>
morelli PosixID: 1000 groupID: 100 OU: Technical Staff<br>
java PosixID: 1000 groupID: 900 OU: Project Research<br>
<br>
Now under Linux, if I login with my credential I find that all my files<br>
are of the java project user.<br>
<br>
In the systems sssd.conf I have:<br>
<br>
access_provider = ldap<br>
ldap_access_order = filter<br>
ldap_access_filter = (gidNumber=100)<br>
<br>
Is it possible to avoid this problem? I want that in some machine only<br>
components of a determined group is able to login. The other<br>
users/groups hasn't to be visible.<br>
<br>
Thanks<br>
--<br>
-------------------------------------------------------------<br>
Enrico Morelli<br>
System Administrator | Programmer | Web Developer<br>
<br>
CERM - Polo Scientifico<br>
Via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY<br>
phone: +39 055 457 4269<br>
fax: +39 055 457 4927<br>
-------------------------------------------------------------<br>
--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></blockquote></div><br></div>