URL: https://github.com/SSSD/sssd/pull/269 Title: #269: Add support for ActiveDirectory's logonHours restrictions
jhrozek commented: """ On Tue, May 16, 2017 at 04:33:22AM -0700, Nicholas Wilson wrote: > Thanks, I'll look into those things. > > 1. Regarding samba's `logon_hours_ok` - it's a static function, so we can't > call it directly. It's pretty-much identical to the short method I've written > in this PR, only they've added a little bit more debug-level logging. The > only way to re-use their method would be to call their `authsam_account_ok` > which does quite a bit of other stuff, some of it samba-specific I think. I > don't really know the samba codebase, and how much benefit their is to trying > to share this bit of functionality. sssd includes its own framework for > querying and caching account records, so it's not going to fit in very well. Ah, sorry, I didn't mean to call the function, but more or less copy its contents :-) (module our differences in debug messages etc..) But as I said, I didn't study the differences into detail and perhaps you're right. I need to check during a more careful review round.. > 2. Would it be better to have a runtime switch, rather than a compile-time > switch? If RHEL is going to compile this feature out, there's not much > benefit to adding it (since our customers will be using stock RHEL). If it > were a runtime parameter, it could default to 'on' with a Release Note > explaining to customers they can turn it off if they prefer to. Let me explain better what I was proposing. Many of the options can be set (on the source level) to NULL. In the source it's often done to denote an 'unset' option. I was proposing to have a configure switch (--enable-ad-logon-hours-check maybe?) that, if selected, would set the value of the ldap_user_ad_logon_hours option to the expected attribute value logonHours. But when disabled, this option would set the attribute value to NULL in the src/providers/ldap/ldap_opts.c source. Presumably (but I didn't test this) the check should be skipped with an allowed return code if the attribute value that points to the logon hours attribute is NULL. So conservative distributions would then configure sssd on the source level with --disable-ad-logon-hours and perhaps Fedora or other distributions where changes are more expected could flip this switch on by default. Please note that even if the option was set to NULL by default on the source level (so, RHEL), the admin could still opt-in for the feature simply by setting: ldap_user_ad_logon_hours = logonHours in sssd.conf to get this feature. So there is also a runtime switch, the difference is the defaults. The other way around (opting out) is a bit more clunky, but still doable with: ldap_user_ad_logon_hours = somethingthatdoesntexist The configure-level switch is by the way what we did when we introduced GPO access control to RHEL. There, RHEL-7 also defaults to "permissive", so it allows access even if GPOs would have denied it, but Fedora (which will eventually become RHEL-8) already defaults to "enforcing" and GPOs are evaluated. I hope it makes more sense now. """ See the full comment at https://github.com/SSSD/sssd/pull/269#issuecomment-301873477
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org