On Tue 06 Nov 2012 01:54:46 PM EST, Dmitri Pal wrote:
On 11/06/2012 01:45 PM, Simo Sorce wrote:• If all lists are empty, access is granted • If any list is provided, the order of evaluation is allow,deny. This means that any matching deny rule will supersede any matched allow rule. • If either or both "allow" lists are provided, all users are denied unless they appear in the list. • If only "deny" lists are provided, all users are granted access unless they appear in the list.
<snip>
Following the first bullet in man page "if all lists are empty the access is granted". It works as advertised right? So I do not see why anything needs to be changed then.
Yeah, that phrasing certainly seems to make it pretty clear that 'simple_allow_users = ' is an empty list. I would prefer that we not change the meaning of this because it *would* be a backwards-incompatible change. This strikes me as something we could stick in a FAQ somewhere: "Be wary if you are using automated tools to generate this option. Specifying no values here is equivalent to omitting the option entirely. If you really want to specify no users are allowed, it's preferable to use 'access_provider = deny'."
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
