#1789 ldap_access_order improvements (man page fix)
Closed: Fixed None Opened 6 years ago by euj.

The documentation says ldap_access_filter setting is mandatory when using access_provider=ldap. However, you can configure the ldap_access_order so that the filter is never checked. The default value for ldap_access_order is just filter, which means that even if you set ldap_account_expire_policy in configuration file, it is never used unless the ldap_access_order is manually altered.

I think that the default of ldap_access_order should either include all possible values in some order and just ignore the ones that are not configured or that specifying for example ldap_account_expire_policy should add it to checking order automatically. Currently the configuration is not intuitive.

Alternatively the man page should mention this additional step (altering the ldap_access_order) in relevant locations or sssd should at least output a warning about set but unused configuration values.

I agree. We should both clarify the man page and print a DEBUG warning if the configuration doesn't make sense.

Configuring the ldap access control correctly can be challenging for users.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10 beta
summary: ldap_access_order improvements => ldap_access_order improvements (man page fix)
type: enhancement => defect

Fields changed

changelog: =>
owner: somebody => jhrozek
patch: 0 => 1
review: => 0
status: new => assigned

Fields changed

changelog: => ldap_access_order must be set in order to non-default access control options to work. This enhancement amends the sssd-ldap man page to document this fact with all non-default ldap_access_order options.

resolution: => fixed
status: assigned => closed

Metadata Update from @euj:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.10 beta

2 years ago

Login to comment on this ticket.