"mourik jan heupink" <[email protected]<mailto:[email protected]>> wrote: [our-ad rule domain_users] description=our domain users match=all action0=set_role=domain_users action1=set_access_duration=365D
[our-ad rule domain_admins] description=our domain admins match= action0=set_unreg_date=2020-01-01 action1=set_access_level=ALL action2=set_role=domain_admins condition0=memberOf,equals,CN=Domain Admins,CN=Users,DC=domain,DC=com Stupid questions. Our PF 4.x install (configured by GUI) seems to only use "match=all" for catch-all rules. Where conditions are specified, it has "match=any". Does the domain_admin rule above need "match=any" or is it optional with only one condition configured? Is "match=all" with no conditions making the domain_users rule into a catch-all? Just curious, since I have never really worked with the config files in PF 4.x. Back in the early days of AD, some academic sites used to create a special OU for domain admins. Permissions were set so that helpdesk staff (who had permissions to change passwords) could not alter domain admin entries/passwords in this special OU. (Most were called OU=Delegated.) Our AD tree is still set up like this, and we just defined another authentication source pointing to that OU instead of dealing with group memberships for PF admin permissions... -Arthur ------------------------------------------------------------------------- Arthur Emerson III Email: [email protected]<mailto:[email protected]> Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave. Fax: (845) 562-6762 Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
