URL: https://github.com/SSSD/sssd/pull/552
Title: #552: GPO: Store security CSE settings of all applicable GPOs

rdratlos commented:
"""
This PR provides an alternative solution to #551 to fix 
[#3680](https://pagure.io/SSSD/sssd/issue/3680).
#551 falls short of fixing the root cause.

Current SSSD GPO implementation is too straight forward but can handle only a 
limited set of classical GPO use cases of AD network operators. One of them is 
network administrators splitting their security group policy into several GPOs. 
As [#3680](https://pagure.io/SSSD/sssd/issue/3680) outlines, some of the GPOs 
or GPO access rules may be emptied over time.

SSSD implementation should reflect both, empty security GPOs and split GPs.

This patch is already part of a set of patches to fix and clean-up the GPO 
implementation as well as to adapt SSSD's GPO implementation to the recent 
development of GPO management in Samba AD and Microsoft AD.
Unfortunately, the patch set relies on fixing issue 
[#3324](https://pagure.io/SSSD/sssd/issue/3324). The related [pull 
request](https://pagure.io/SSSD/sssd/pull-request/3320) currently lacks 
progress. Therefore, I have extracted the parts relevant to 
[#3680](https://pagure.io/SSSD/sssd/issue/3680) from the patch set and included 
them here.
They also include following one additional change required to improve GPO 
handling in general:
Store GP results in SSSD cache per CSE GUID (currently only one CSE GUID is 
implemented in SSSD)

Please review this different approach and compare it against #551.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/552#issuecomment-381345441
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to