URL: https://github.com/SSSD/sssd/pull/5241
Title: #5241: GPO: respect ad_gpo_implicit_deny when evaluation rules
sumit-bose commented:
"""
> Ah, ok. And shouldn't it work also the other way - if ad_gpo_implicit_deny =
> False and there is not explicit deny rule then allow access?
yes, but this should already work.
Here is an overview:
```
ad_gpo_implicit_deny = False (default)
- no allow-rules no deny-rules present: all users are
allowed
- no allow-rules deny-rules present: all users not in deny-rules are
allowed
- allow-rules no deny-rules present: only users in allow-rules are
allowed
- allow-rules deny-rules present: only users in allow-rules
and not in deny-rules are
allowed
ad_gpo_implicit_deny = True
- no allow-rules no deny-rules present: no users are
allowed
- no allow-rules deny-rules present: no users are
allowed
- allow-rules no deny-rules present: only users in allow-rules are
allowed
- allow-rules deny-rules present: only users in allow-rules
and not in deny-rules are
allowed
```
This PR should make sure the `no allow-rules` cases of `ad_gpo_implicit_deny =
True` work as expected.
HTH
bye,
Sumit
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5241#issuecomment-679046124
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
