> Regarding SSSD side options. > Maybe we should add a stronger mode for ad_gpo_implicit_deny to > "only allow explicitly allowed" users/groups not only > deny access if there are no applicable GPOs. I think such > option would be good hardening option, but it would basically > ignore all Deny rules on the server (OTOH if someone wants to > allow only whitelisted users/groups they would not use deny > rules, so that is actually not a problem). Will you file > an RFE or should I? Feel free to copy paste this discussion > to the ticket.
I've created what I hope counts as an RFE at https://pagure.io/SSSD/sssd/issue/4097, with our conversation included. Thanks! _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org