URL: https://github.com/SSSD/sssd/pull/5562 Author: sumit-bose Title: #5562: AD GPO: respect ad_gpo_implicit_deny if no GPO is present Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5562/head:pr5562 git checkout pr5562
From fd6e381c7a6c88f994fe90d4d4db0ac94002ce95 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Tue, 30 Mar 2021 15:31:17 +0200 Subject: [PATCH] AD GPO: respect ad_gpo_implicit_deny if no GPO is present Currently ad_gpo_implicit_deny=True is not applied if there is no GPO at all for the given client. With this patch this case is handled as expected as well. Resolves: https://github.com/SSSD/sssd/issues/5561 :fixes: `ad_gpo_implicit_deny` is now respected even if there are no applicable GPOs present --- src/providers/ad/ad_gpo.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index b15e0f345b..4ef6a7219c 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -2472,7 +2472,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) } } - ret = EOK; + if (state->gpo_implicit_deny == true) { + DEBUG(SSSDBG_TRACE_FUNC, + "No applicable GPOs have been found and ad_gpo_implicit_deny" + " is set to 'true'. The user will be denied access.\n"); + ret = ERR_ACCESS_DENIED; + } else { + ret = EOK; + } + goto done; }
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
