On Sat, Oct 19, 2013 at 04:42:50PM -0400, Dmitri Pal wrote: > On 10/19/2013 01:51 AM, Simo Sorce wrote: > > On Fri, 2013-10-18 at 13:26 +0200, Jakub Hrozek wrote: > >> On Fri, Sep 13, 2013 at 02:57:56PM +0200, Jakub Hrozek wrote: > >>> === Implementation details === > >>> 1. The default value of what AD access_provider is set to should be > >>> changed > >>> * Currently, if `access_provider` is not set explicitly, the default is > >>> `permit`, thus allowing even expired accounts > >>> * The new default would be `ad`, checking account expiration even with > >>> a minimal configuration > >> This is the part I didn't change in my patches sent to the list earlier > >> as I think it needs a bit more discussion. > >> > >> Currently the code that loads the providers resides in > >> data_provider_be.c and looks like this: > >> > >> id = load_provider(type=id, default=None) # ID provider must be specified > >> auth = load_provider(type=auth, default=id) # auth is inherited from id > >> access = load_provider(type=access, default="permit") > >> > >> In other words, the SSSD mandates the access filter to be always set and > >> if not set, default to permit. This is true even for the IPA provider, > >> so with just id_provider=ipa, HBAC has no effect. > >> > >> I think defaulting to access control same as ID provider makes sense, > >> but since it is a change in how we define the defaults, it should not be > >> done in a point release, but rather in next major version. > > +1 > > > > Simo. > > > Doe this mean we need to to open tickets for ipa-client and realmd to > set it explicitly?
No, realmd already sets either the domain specific access provider or "simple". ipa-client-install already sets 'ipa' unconditionally. The issue is only about manual configuration. _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
