On 11/06/2012 11:07 PM, Dmitri Pal wrote:
On 11/06/2012 02:09 PM, Simo Sorce wrote:
On Tue, 2012-11-06 at 14:00 -0500, Stephen Gallagher wrote:
On Tue 06 Nov 2012 01:54:46 PM EST, Dmitri Pal wrote:
On 11/06/2012 01:45 PM, Simo Sorce wrote:
• If all lists are empty, access is granted
• If any list is provided, the order of evaluation is
allow,deny. This means that any matching deny rule will
supersede any matched allow rule.
• If either or both "allow" lists are provided, all
users are denied unless they appear in the list.
• If only "deny" lists are provided, all users are
granted access unless they appear in the list.
<snip>
Following the first bullet in man page "if all lists are empty the
access is granted".
It works as advertised right?
So I do not see why anything needs to be changed then.
Yeah, that phrasing certainly seems to make it pretty clear that
'simple_allow_users = ' is an empty list. I would prefer that we not
change the meaning of this because it *would* be a
backwards-incompatible change. This strikes me as something we could
stick in a FAQ somewhere: "Be wary if you are using automated tools to
generate this option. Specifying no values here is equivalent to
omitting the option entirely. If you really want to specify no users
are allowed, it's preferable to use 'access_provider = deny'."
Agreed, let's kill off this thread and the proposal.
Sorry Ondrej and Stef, seem like changing this is just not desirable.
Simo.
ack. IMO it should be just clarified in the man page.
patch for manpage attached
O.
--
Ondrej Kos
Associate Software Engineer
Identity Management
Red Hat Czech
phone: +420-532-294-558
cell: +420-736-417-909
ext: 82-62558
loc: 1013 Brno 1 office
irc: okos @ #brno
From 4bb79dcc43424f555a94fb52bddd47fba87860e6 Mon Sep 17 00:00:00 2001
From: Ondrej Kos <o...@redhat.com>
Date: Wed, 7 Nov 2012 10:59:27 +0100
Subject: [PATCH] MAN: sssd-simple - suggest awarness of empty rules
Admins should be aware of the behavior of simple access provider when
empty lists are configured (may be result of scripted filing)
---
src/man/sssd-simple.5.xml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/man/sssd-simple.5.xml b/src/man/sssd-simple.5.xml
index 17e9826aa83b48314baf1b65d512c5a3a588659d..6b2277f00fa9cb0024b1e30b08dd03e95e122407 100644
--- a/src/man/sssd-simple.5.xml
+++ b/src/man/sssd-simple.5.xml
@@ -117,6 +117,11 @@
</variablelist>
</para>
<para>
+ Specifying no values for any of the lists is equivalent
+ to skipping it entirely. Beware of this while generating
+ parameters for the simple provider using automated scripts.
+ </para>
+ <para>
Please note that it is an configuration error if both,
simple_allow_users and simple_deny_users, are defined.
</para>
--
1.7.11.7
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
