On Fri, Sep 13, 2013 at 02:57:56PM +0200, Jakub Hrozek wrote: > === Implementation details === > 1. The default value of what AD access_provider is set to should be changed > * Currently, if `access_provider` is not set explicitly, the default is > `permit`, thus allowing even expired accounts > * The new default would be `ad`, checking account expiration even with a > minimal configuration
This is the part I didn't change in my patches sent to the list earlier as I think it needs a bit more discussion. Currently the code that loads the providers resides in data_provider_be.c and looks like this: id = load_provider(type=id, default=None) # ID provider must be specified auth = load_provider(type=auth, default=id) # auth is inherited from id access = load_provider(type=access, default="permit") In other words, the SSSD mandates the access filter to be always set and if not set, default to permit. This is true even for the IPA provider, so with just id_provider=ipa, HBAC has no effect. I think defaulting to access control same as ID provider makes sense, but since it is a change in how we define the defaults, it should not be done in a point release, but rather in next major version. _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
