On Fri, 2013-10-18 at 13:26 +0200, Jakub Hrozek wrote: > On Fri, Sep 13, 2013 at 02:57:56PM +0200, Jakub Hrozek wrote: > > === Implementation details === > > 1. The default value of what AD access_provider is set to should be changed > > * Currently, if `access_provider` is not set explicitly, the default is > > `permit`, thus allowing even expired accounts > > * The new default would be `ad`, checking account expiration even with a > > minimal configuration > > This is the part I didn't change in my patches sent to the list earlier > as I think it needs a bit more discussion. > > Currently the code that loads the providers resides in > data_provider_be.c and looks like this: > > id = load_provider(type=id, default=None) # ID provider must be specified > auth = load_provider(type=auth, default=id) # auth is inherited from id > access = load_provider(type=access, default="permit") > > In other words, the SSSD mandates the access filter to be always set and > if not set, default to permit. This is true even for the IPA provider, > so with just id_provider=ipa, HBAC has no effect. > > I think defaulting to access control same as ID provider makes sense, > but since it is a change in how we define the defaults, it should not be > done in a point release, but rather in next major version.
+1 Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel