SLES12 has changed the LDAP client integration a lot, as we can read in https://forums.suse.com/showthread.p...Authentication.
We have a SLES11 system that restricts access by LDAP group through an pam_groupdn definition in /etc/ldap.conf.
/etc/ldap.conf is not present in SLES12, and I wonder how we can implement LDAP group restrictions with sssd.
I tried the following in the domain definition of /etc/sssd/sssd.conf
ldap_access_filter = memberOf=cn=...
Unfortunately, this filter does not seem to be effective.
The filter_groups statement in the [nss] section only allows to exclude groups to my knowledge, we are looking for a way to include / permit only a few groups.