#1841 document what does access_provider=ad do
Closed: Fixed None Opened 6 years ago by jhrozek.

The sssd-ad manual page does not say what does the access_provider=ad mean and some users would then think it is krb5 access control. We should add that info.


Can you explain here what it is?

The access_provider=ad checks if the user is expired or not. Basically it would expand to:

access_provider=ldap
ldap_access_order = expire
ldap_account_expire_policy = ad

Fields changed

owner: somebody => jhrozek
patch: 0 => 1

For the record, that's only the current behavior of the AD access_provider. When I built it, I designed it to be a full access provider with the possibility of multiple stages (like the IPA access_provider). In the first pass, I only handled password policy, but the plan was to be able to also support eventually a GPO-based authorization check.

cc: => sgallagh

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10 beta

This is proposed for RHEL6, too and I'd like to keep the RHEL6 code close to the sssd-1-9 branch, so I'll move the ticket to 1.9.5 upstream.

milestone: SSSD 1.10 beta => SSSD 1.9.5

resolution: => fixed
status: new => closed

Replying to [comment:4 sgallagh]:

For the record, that's only the current behavior of the AD access_provider. When I built it, I designed it to be a full access provider with the possibility of multiple stages (like the IPA access_provider). In the first pass, I only handled password policy, but the plan was to be able to also support eventually a GPO-based authorization check.

Right, when (hopefully not if) we get to extending the password policy, we'll have to amend the man page as well.

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.5

2 years ago

Login to comment on this ticket.

Metadata