[rhelv6-beta-list] Does SSSD support filters like nss_ldap?

[Don Hoover]

I am looking at possibly using the new SSSD functionality to replace our existing LDAP configurations and so far it seems like its not 'quite' fully baked.


Right now I have migrated our old RHEL5 /etc/ldap.conf LDAP client configuration to the new nslcd.conf and pam_ldap.conf in RHEL6 without too much trouble.


I am now looking at the new SSSD functionality since I used to use pam_ccred to do credential caching in RHEL5 for disconnected logins, but that is no longer available in RHEL6.


But I have a question about SSSD LDAP configuration that I can't seem to figure out.
  

Specifically, does SSSD support filtering of passwd/shadow/etc.. like nss_ldap does?

Example, we control access to each of our systems by adding filters to the nss_ldap/nslcd configuration like this that limit only certain groups of users to login:

nslcd (RHEL6 nss):
filter passwd (|(gidNumber=9001)(ou=sysadmins))
filter shadow (|(gidNumber=9001)(ou=sysadmins))

nss ldap.conf (RHEL5 nss):
nss_base_passwd ou=People,o=ourcompany?one?|(gidNumber=9001)(ou=sysadmins)
nss_base_shadow ou=People,o=ourcompany?one?|(gidNumber=9001)(ou=sysadmins)


>From what I can see SSSD only supports setting the base filter:
eg: ou=People,o=ourcompany and there is no way to further filter out the results returned from the ldap server, so new ever user in our directory is suddenly a valid user on that system.


I know the project is pretty much an infant and its still growing, but right now does any one see any way to keep SSSD from just blindly returning every user account?