[Authentication] [PATCHES] Add realmd support for configuring the AD GPO access-control
Stephen Gallagher
sgallagh at redhat.com
Mon Oct 6 04:57:25 PDT 2014
On Mon, 2014-10-06 at 07:51 +0200, Stef Walter wrote:
> On 02.10.2014 15:29, Stephen Gallagher wrote:
> > Patch 0001: Adds a routine to get a string from the realmd.conf
> > with a default value if it's not present.
>
> Hmmm, I think defaults should be placed in
> /usr/lib64/realmd/realmd-defaults.conf or
> /usr/lib64/realmd/realmd-distro.conf, rather than in the code.
>
> Was there a special reason for changing this?
>
Mostly, I was trying to work around the potential .rpmsave problem, but
I realize on second look that the defaults are actually in /usr
not /etc, so they wouldn't be vulnerable to this issue.
> > Patch 0002: Add the "enforce-gpo" option to the [active-directory]
> > section and use it to set the ad_gpo_access_control setting in
> > sssd.conf
>
> Not sure what this does exactly, but I'm assuming it controls the HBAC
> setting for SSSD. In realmd, the choice whether to use domain provided
> HBAC is controlled via the 'realm permit ...' options (and related
> DBus interface), and not via a default in the configuration file.
>
Well, it controls a trinary state: disabled, permissive or enforcing.
This is in addition to the other two access-control features in the AD
provider: account-lock and ldap-filter.
If you'd prefer that realmd just simply always set it to 'enforcing'
mode if 'realm permit -a' has been specified, I can do that and update
the patch accordingly.
> I think the patch should be changed so this setting is changed when
> the "LoginPolicy" property of the realm is changed. More details here:
>
> http://freedesktop.org/software/realmd/docs/gdbus-org.freedesktop.realmd.Realm.html
>
> Also see the 'man realm' in the PERMIT and DENY sections.
>
> http://freedesktop.org/software/realmd/docs/realm.html
>
> Cheers,
>
> Stef
>
> _______________________________________________
> Authentication mailing list
> Authentication at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/authentication
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freedesktop.org/archives/authentication/attachments/20141006/5791a0f0/attachment.sig>
More information about the Authentication
mailing list