Learn more about these different git repos.
Other Git URLs
The documentation says ldap_access_filter setting is mandatory when using access_provider=ldap. However, you can configure the ldap_access_order so that the filter is never checked. The default value for ldap_access_order is just filter, which means that even if you set ldap_account_expire_policy in configuration file, it is never used unless the ldap_access_order is manually altered.
I think that the default of ldap_access_order should either include all possible values in some order and just ignore the ones that are not configured or that specifying for example ldap_account_expire_policy should add it to checking order automatically. Currently the configuration is not intuitive.
Alternatively the man page should mention this additional step (altering the ldap_access_order) in relevant locations or sssd should at least output a warning about set but unused configuration values.
I agree. We should both clarify the man page and print a DEBUG warning if the configuration doesn't make sense.
Configuring the ldap access control correctly can be challenging for users.
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.10 beta summary: ldap_access_order improvements => ldap_access_order improvements (man page fix) type: enhancement => defect
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=906379
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=906379 906379]
changelog: => owner: somebody => jhrozek patch: 0 => 1 review: => 0 status: new => assigned
changelog: => ldap_access_order must be set in order to non-default access control options to work. This enhancement amends the sssd-ldap man page to document this fact with all non-default ldap_access_order options.
resolution: => fixed status: assigned => closed
Metadata Update from @euj: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.10 beta
Login to comment on this ticket.