URL: https://github.com/SSSD/sssd/pull/269
Title: #269: Add support for ActiveDirectory's logonHours restrictions
jhrozek commented:
"""
On Tue, May 16, 2017 at 04:33:22AM -0700, Nicholas Wilson wrote:
> Thanks, I'll look into those things.
>
> 1. Regarding samba's `logon_hours_ok` - it's a static function, so we can't
> call it directly. It's pretty-much identical to the short method I've written
> in this PR, only they've added a little bit more debug-level logging. The
> only way to re-use their method would be to call their `authsam_account_ok`
> which does quite a bit of other stuff, some of it samba-specific I think. I
> don't really know the samba codebase, and how much benefit their is to trying
> to share this bit of functionality. sssd includes its own framework for
> querying and caching account records, so it's not going to fit in very well.
Ah, sorry, I didn't mean to call the function, but more or less copy its
contents :-)
(module our differences in debug messages etc..)
But as I said, I didn't study the differences into detail and perhaps
you're right. I need to check during a more careful review round..
> 2. Would it be better to have a runtime switch, rather than a compile-time
> switch? If RHEL is going to compile this feature out, there's not much
> benefit to adding it (since our customers will be using stock RHEL). If it
> were a runtime parameter, it could default to 'on' with a Release Note
> explaining to customers they can turn it off if they prefer to.
Let me explain better what I was proposing. Many of the options can be set
(on the source level) to NULL. In the source it's often done to denote an
'unset' option.
I was proposing to have a configure switch (--enable-ad-logon-hours-check
maybe?) that, if selected, would set the value of the
ldap_user_ad_logon_hours option to the expected attribute value
logonHours. But when disabled, this option would set the attribute value
to NULL in the src/providers/ldap/ldap_opts.c source. Presumably (but I
didn't test this) the check should be skipped with an allowed return code
if the attribute value that points to the logon hours attribute is NULL.
So conservative distributions would then configure sssd on the source
level with --disable-ad-logon-hours and perhaps Fedora or other
distributions where changes are more expected could flip this switch on
by default.
Please note that even if the option was set to NULL by default on the
source level (so, RHEL), the admin could still opt-in for the feature simply by
setting:
ldap_user_ad_logon_hours = logonHours
in sssd.conf to get this feature. So there is also a runtime switch, the
difference is the defaults.
The other way around (opting out) is a bit more clunky, but still doable
with:
ldap_user_ad_logon_hours = somethingthatdoesntexist
The configure-level switch is by the way what we did when we introduced
GPO access control to RHEL. There, RHEL-7 also defaults to "permissive",
so it allows access even if GPOs would have denied it, but Fedora (which
will eventually become RHEL-8) already defaults to "enforcing" and GPOs
are evaluated.
I hope it makes more sense now.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/269#issuecomment-301873477
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
