On Fri, Jan 09, 2015 at 09:00:53AM +0100, Steffen Kaiser wrote: > The deny=yes is a special syntax: If this passdb matches -> deny, there is > no ExtraField "deny".
Thanks for your answer. That's what I thought after my tests. This explains why I was still able to log in... > but keep in mind that you do not "deny" an user knowingly, but that this user > is not found. The semantic is different. I know, I thought about that. But still what could be the unwanted side effects ? > What you could try - I do not remember anybody posting something like this - > - is to combine a ldap passdb with deny=yes. I thought about that too, but that would mean setting up another LDAP directory, which I find a little bit overkill. Thanks. -- Thomas Hummel | Institut Pasteur <hum...@pasteur.fr> | Groupe Exploitation et Infrastructure
