Hi guys,

With regard to adding support for gpo processing in offline mode, if we have 
gpo-guids and policy files cached from previous transactions, then we can 
simply retrieve all the gpo-guids from the cache, construct the policy file 
names, retrieve the policy files from the local GPO_CACHE directory, and 
perform the access checks. 

However, I have some questions:

1. If we don't have any gpo-guids or policy files cached from previous 
transactions, should gpo processing deny access by default (assuming that 
gpo_mode is enforcing)?

2. If we detect that we are off-line, at what points do we need to attempt to 
recover and perform offline processing (as opposed to simply returning an 
error). Certainly, we should perform offline processing if the initial ldap 
connect response (i.e. sdap_id_op_connect_recv) returns a dp_error of 
DP_ERR_OFFLINE. However, if one of the several ldap search responses (i.e. 
sdap_get_generic_recv) return a dp_error of DP_ERR_OFFLINE, should we still 
attempt to recover? Should we attempt to recover if the smb connect or smb read 
fails (in the gpo_child)? 

3. If the initial ldap connection succeeds, but we go offline at a later point 
(and if the right thing to do is to attempt to recover at that point, per 
question 2), am I correct in assuming that we should discard any data received 
from the server up to then (if any), and behave as if we were offline since the 
connection started?

Thanks,
Yassir.
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to