#1789 ldap_access_order improvements (man page fix)
Closed: Fixed None Opened 9 years ago by euj.

The documentation says ldap_access_filter setting is mandatory when using access_provider=ldap. However, you can configure the ldap_access_order so that the filter is never checked. The default value for ldap_access_order is just filter, which means that even if you set ldap_account_expire_policy in configuration file, it is never used unless the ldap_access_order is manually altered.

I think that the default of ldap_access_order should either include all possible values in some order and just ignore the ones that are not configured or that specifying for example ldap_account_expire_policy should add it to checking order automatically. Currently the configuration is not intuitive.

Alternatively the man page should mention this additional step (altering the ldap_access_order) in relevant locations or sssd should at least output a warning about set but unused configuration values.

I agree. We should both clarify the man page and print a DEBUG warning if the configuration doesn't make sense.

Configuring the ldap access control correctly can be challenging for users.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10 beta
summary: ldap_access_order improvements => ldap_access_order improvements (man page fix)
type: enhancement => defect

Fields changed

changelog: =>
owner: somebody => jhrozek
patch: 0 => 1
review: => 0
status: new => assigned

Fields changed

changelog: => ldap_access_order must be set in order to non-default access control options to work. This enhancement amends the sssd-ldap man page to document this fact with all non-default ldap_access_order options.

resolution: => fixed
status: assigned => closed

Metadata Update from @euj:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.10 beta

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2831

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.