Learn more about these different git repos.
Other Git URLs
The documentation says ldap_access_filter setting is mandatory when using access_provider=ldap. However, you can configure the ldap_access_order so that the filter is never checked. The default value for ldap_access_order is just filter, which means that even if you set ldap_account_expire_policy in configuration file, it is never used unless the ldap_access_order is manually altered.
I think that the default of ldap_access_order should either include all possible values in some order and just ignore the ones that are not configured or that specifying for example ldap_account_expire_policy should add it to checking order automatically. Currently the configuration is not intuitive.
Alternatively the man page should mention this additional step (altering the ldap_access_order) in relevant locations or sssd should at least output a warning about set but unused configuration values.
I agree. We should both clarify the man page and print a DEBUG warning if the configuration doesn't make sense.
Configuring the ldap access control correctly can be challenging for users.
milestone: NEEDS_TRIAGE => SSSD 1.10 beta
summary: ldap_access_order improvements => ldap_access_order improvements (man page fix)
type: enhancement => defect
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=906379
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=906379 906379]
owner: somebody => jhrozek
patch: 0 => 1
review: => 0
status: new => assigned
changelog: => ldap_access_order must be set in order to non-default access control options to work. This enhancement amends the sssd-ldap man page to document this fact with all non-default ldap_access_order options.
resolution: => fixed
status: assigned => closed
Metadata Update from @euj:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.10 beta
to comment on this ticket.