URL: https://github.com/SSSD/sssd/pull/5881 Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails
scabrero commented: """ > Hi, > > thanks for the patch. I think an option is needed to control this behavior > because SSSD does not know if the denied LDAP access was intentional or not. > If it is intentional then just ignoring the object which cannot be accessed > is ok. > > But if it is not intentional and the unreadable object is a group used in > `simple_deny_groups` or in a `Deny*LogonRight` GPO in AD the user will be > permitted to access the system although it was expected that access is denied > by adding the user to this group. > > What do you think about it? Hi @sumit-bose, I agree there is no way to know if the denied access was intentional or not, so adding a new configuration option seems appropriate. What do you think about "ldap_asq_ignore_unreadable_references"? """ See the full comment at https://github.com/SSSD/sssd/pull/5881#issuecomment-974067095
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure