URL: https://github.com/SSSD/sssd/pull/5881
Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails

scabrero commented:
"""
> Hi,
> 
> thanks for the patch. I think an option is needed to control this behavior 
> because SSSD does not know if the denied LDAP access was intentional or not. 
> If it is intentional then just ignoring the object which cannot be accessed 
> is ok.
> 
> But if it is not intentional and the unreadable object is a group used in 
> `simple_deny_groups` or in a `Deny*LogonRight` GPO in AD the user will be 
> permitted to access the system although it was expected that access is denied 
> by adding the user to this group.
> 
> What do you think about it?

Hi @sumit-bose, I agree there is no way to know if the denied access was 
intentional or not, so adding a new configuration option seems appropriate. 
What do you think about "ldap_asq_ignore_unreadable_references"?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5881#issuecomment-974067095
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to