On 10/19/2013 01:51 AM, Simo Sorce wrote: > On Fri, 2013-10-18 at 13:26 +0200, Jakub Hrozek wrote: >> On Fri, Sep 13, 2013 at 02:57:56PM +0200, Jakub Hrozek wrote: >>> === Implementation details === >>> 1. The default value of what AD access_provider is set to should be changed >>> * Currently, if `access_provider` is not set explicitly, the default is >>> `permit`, thus allowing even expired accounts >>> * The new default would be `ad`, checking account expiration even with a >>> minimal configuration >> This is the part I didn't change in my patches sent to the list earlier >> as I think it needs a bit more discussion. >> >> Currently the code that loads the providers resides in >> data_provider_be.c and looks like this: >> >> id = load_provider(type=id, default=None) # ID provider must be specified >> auth = load_provider(type=auth, default=id) # auth is inherited from id >> access = load_provider(type=access, default="permit") >> >> In other words, the SSSD mandates the access filter to be always set and >> if not set, default to permit. This is true even for the IPA provider, >> so with just id_provider=ipa, HBAC has no effect. >> >> I think defaulting to access control same as ID provider makes sense, >> but since it is a change in how we define the defaults, it should not be >> done in a point release, but rather in next major version. > +1 > > Simo. > Doe this mean we need to to open tickets for ipa-client and realmd to set it explicitly?
-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
