OneLogin VLDAP sssd access filter for user_roles

Question

We are currently using VLDAP and sssd.conf on Ubuntu Linux Systems, so that users can login into these Ubuntu systems using their OneLogin credentials.

Is there a way or configuration that can be used via sssd.conf to limit the login into a single / selective Ubuntu Systems for the users who belong to a

• OneLogin User Group OR
• memeber_of associations in a user OR
• roles assigned to the user in OneLogin

My sssd.conf is :

[sssd]
config_file_version = 2
services = nss, pam, ssh
domains = ldap

[pam]

[domain/ldap]
debug_level = 3
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldaps://ldap.us.onelogin.com:636
ldap_default_bind_dn = cn=mysvcaccount@mydomain.com,ou=users,dc=my-onelogin-tenant,dc=onelogin,dc=com
ldap_default_authtok = ABCD#0898809
ldap_default_authtok_type = obfuscated_password
ldap_search_base = dc=my-onelogin-tenant,dc=onelogin,dc=com
ldap_user_search_base = ou=users,dc=my-onelogin-tenant,dc=onelogin,dc=com
ldap_group_search_base = ou=roles,dc=my-onelogin-tenant,dc=onelogin,dc=com
ldap_user_object_class = inetOrgPerson
ldap_user_name = username
ldap_user_gecos = username
override_shell = /bin/bash
override_homedir = /home/%u
cache_credentials = true
enumerate = True
ldap_tls_reqcert = demand
ldap_tls_cacert = /path/to/OneLogin-VLDAP-cert
ldap_tls_cacertdir = path/to/certs
ldap_id_use_start_tls = true
ignore_group_members = true

Adding the below in the section [domain/ldap] has no impact and all users can login into the system

Option-1

access_provider = ldap
ldap_access_order = filter
ldap_group_member = member
ldap_access_filter = memberOf=cn=restrictedvldap,ou=roles,dc=my-onelogin-tenant,dc=onelogin,dc=com

Option-2

access_provider = simple
simple_allow_groups = restrictedvldap

Note that within OneLogin a user belongs to one & only one group, can be member or multiple roles. Here I am trying to allow members of a OneLogin Role named restrictedvldap

Please help