On Wed 07 Nov 2012 05:07:14 AM EST, Ondrej Kos wrote:
On 11/06/2012 11:07 PM, Dmitri Pal wrote:
On 11/06/2012 02:09 PM, Simo Sorce wrote:
On Tue, 2012-11-06 at 14:00 -0500, Stephen Gallagher wrote:
On Tue 06 Nov 2012 01:54:46 PM EST, Dmitri Pal wrote:
On 11/06/2012 01:45 PM, Simo Sorce wrote:
• If all lists are empty, access is granted
• If any list is provided, the order of
evaluation is
allow,deny. This means that any matching deny
rule will
supersede any matched allow rule.
• If either or both "allow" lists are provided,
all
users are denied unless they appear in the list.
• If only "deny" lists are provided, all users are
granted access unless they appear in the list.
<snip>
Following the first bullet in man page "if all lists are empty the
access is granted".
It works as advertised right?
So I do not see why anything needs to be changed then.
Yeah, that phrasing certainly seems to make it pretty clear that
'simple_allow_users = ' is an empty list. I would prefer that we not
change the meaning of this because it *would* be a
backwards-incompatible change. This strikes me as something we could
stick in a FAQ somewhere: "Be wary if you are using automated tools to
generate this option. Specifying no values here is equivalent to
omitting the option entirely. If you really want to specify no users
are allowed, it's preferable to use 'access_provider = deny'."
Agreed, let's kill off this thread and the proposal.
Sorry Ondrej and Stef, seem like changing this is just not desirable.
Simo.
ack. IMO it should be just clarified in the man page.
patch for manpage attached
O.
Ack
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
