Aqui está minha solução final, codificada em ansible:
- name: Disable ldap users
ini_file: dest=/etc/sssd/sssd.conf section='nss'
option=filter_users value={{ filter_ldap_users | join(",") }}
register: sssd_conf_users
- name: Disable ldap groups
ini_file: dest=/etc/sssd/sssd.conf section='nss'
option=filter_groups value={{ filter_ldap_groups | join(",") }}
register: sssd_conf_groups
- name: Restart SSSD
when: sssd_conf_users.changed or sssd_conf_groups.changed
service: name=sssd state=restarted
- name: Flush NSCD cache
when: sssd_conf_users.changed or sssd_conf_groups.changed
shell: "for db in /var/db/nscd/*; do nscd -i $(basename $db); done"
- name: Flush SSSD cache
when: sssd_conf_users.changed or sssd_conf_groups.changed
command: /usr/sbin/sss_cache -E