[Authentication] [PATCHES] Add realmd support for configuring the AD GPO access-control
Stef Walter
stefw at gnome.org
Sun Oct 5 22:51:32 PDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02.10.2014 15:29, Stephen Gallagher wrote:
> Patch 0001: Adds a routine to get a string from the realmd.conf
> with a default value if it's not present.
Hmmm, I think defaults should be placed in
/usr/lib64/realmd/realmd-defaults.conf or
/usr/lib64/realmd/realmd-distro.conf, rather than in the code.
Was there a special reason for changing this?
> Patch 0002: Add the "enforce-gpo" option to the [active-directory]
> section and use it to set the ad_gpo_access_control setting in
> sssd.conf
Not sure what this does exactly, but I'm assuming it controls the HBAC
setting for SSSD. In realmd, the choice whether to use domain provided
HBAC is controlled via the 'realm permit ...' options (and related
DBus interface), and not via a default in the configuration file.
I think the patch should be changed so this setting is changed when
the "LoginPolicy" property of the realm is changed. More details here:
http://freedesktop.org/software/realmd/docs/gdbus-org.freedesktop.realmd.Realm.html
Also see the 'man realm' in the PERMIT and DENY sections.
http://freedesktop.org/software/realmd/docs/realm.html
Cheers,
Stef
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlQyLeQACgkQe/sRCNknZa/oCACgke0aC/zHRbHO4gyjLveVj65P
e7gAnRyTk1mpaUJKsW23jnUr0gRdqfgU
=0jcV
-----END PGP SIGNATURE-----
More information about the Authentication
mailing list