Learn more about these different git repos.
Other Git URLs
Currently the default access provider for the AD identity provider is "permit", while the AD access provider checks if the account is expired. But many users would like the option to check the access based on a filter. Currently the only way is to configure the LDAP access provider, which is error-prone and clumsy.
We should add one more configuration option "ad_access_filter" that, if set, would augment the AD access provider so that it first checks if the account is expired and if it's not, then proceed to check if the account matches the filter without having to configure the LDAP provider.
See also ticket #1977 and #1975.
priority: major => critical
summary: RFE: Add a new option ad_access_filter => [RFE] Add a new option ad_access_filter
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1008000
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1008000 1008000]
design: => https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryAccessControl
design_review: 0 => 1
milestone: NEEDS_TRIAGE => SSSD 1.11.1
owner: somebody => jhrozek
status: new => assigned
Unlikely this will make 1.11.1, I'd rather have more time to review and have this feature as part of 1.11.2. Can be delivered to RHEL-7 as a patch.
milestone: SSSD 1.11.1 => SSSD 1.11.2
patch: 0 => 1
resolution: => fixed
status: assigned => closed
changelog: => The SSSD acquired a new option ad_access_filter, that, if set, restricts who can log in to the client machine. All users must match that filter. As opposed to the ldap_access_filter, no additional configuration is needed, all connection parameters are inherited from the AD provider.
Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.11.2
to comment on this ticket.