-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/11/2014 08:31 AM, Jakub Hrozek wrote: > On Fri, Apr 11, 2014 at 01:11:40PM +0200, Pavel Březina wrote: >> On 04/10/2014 04:20 PM, Jakub Hrozek wrote: >>> Hi, >>> >>> our current HOWTO[1] on connecting SSSD to an AD DC is >>> outdated, mostly because the page still only introduces the >>> LDAP provider. Recently, me, Sumit and Jeremy Agee wrote a new >>> page that specifically advises to use the AD provider and also >>> use realmd for setup: >>> https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server >>> >>> >>> We started a new page and kept the old one around mostly because pre-1.9 >>> versions still need the LDAP provider info. >>> >>> I'd like to get some review and feedback from our community so >>> we can link the wiki page from the front page or the >>> documentation section. In addition to the lists, I also CC-ed >>> the individual contributors to the original page directly..I >>> hope that's fine. >>> >>> Thank you for your comments. >>> >>> [1] >>> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server >> >> >>> Hi, >> nice article. I have just few nitpicks to sssd.conf. >> >>> [sssd] config_file_version = 2 domains = ad.example.com >>> services = nss, pam >>> >>> [domain/ad.example.com] # Uncomment if you need offline logins >>> # cache_credentials = true >>> >>> id_provider = ad auth_provider = ad access_provider = ad >> >> I think presenting a minimal configuration would be better, ie >> removing auth and access providers since they are inherited from >> id. > > auth is inherited, access is not. The access provider defaults to > permit for all backends. We talked multiple times about changing > the default, but I'm not quite sure why we didn't. I remember there > was a technical reason (other than 'noone sent a patch') but I > can't recall it now, sorry. >
Well, the major technical reason is that it would be a backwards-incompatible change. Updating the SSSD and changing that behavior could very easily mean suddenly locking a whole lot of people out of their system. There's really no easy way to change this unless we want to force an upgrade to set it explicitly to 'access_provider = permit', but that would still break if something like puppet overwrote it again. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNIBtkACgkQeiVVYja6o6OfDgCbBBNPzp5D3ptRLkR/RQguN6Xr Dx4AoIQvJoYgJ8fcCbevH9z2z5vEw4zW =c0LK -----END PGP SIGNATURE----- _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
