Learn more about these different git repos.
Other Git URLs
The documentation says ldap_access_filter setting is mandatory when using access_provider=ldap. However, you can configure the ldap_access_order so that the filter is never checked. The default value for ldap_access_order is just filter, which means that even if you set ldap_account_expire_policy in configuration file, it is never used unless the ldap_access_order is manually altered.
I think that the default of ldap_access_order should either include all possible values in some order and just ignore the ones that are not configured or that specifying for example ldap_account_expire_policy should add it to checking order automatically. Currently the configuration is not intuitive.
Alternatively the man page should mention this additional step (altering the ldap_access_order) in relevant locations or sssd should at least output a warning about set but unused configuration values.
I agree. We should both clarify the man page and print a DEBUG warning if the configuration doesn't make sense.
Configuring the ldap access control correctly can be challenging for users.
milestone: NEEDS_TRIAGE => SSSD 1.10 beta
summary: ldap_access_order improvements => ldap_access_order improvements (man page fix)
type: enhancement => defect
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=906379
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=906379 906379]
owner: somebody => jhrozek
patch: 0 => 1
review: => 0
status: new => assigned
changelog: => ldap_access_order must be set in order to non-default access control options to work. This enhancement amends the sssd-ldap man page to document this fact with all non-default ldap_access_order options.
resolution: => fixed
status: assigned => closed
Metadata Update from @euj:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.10 beta
SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
to comment on this ticket.