#2082 [RFE] Add a new option ad_access_filter
Closed: Fixed None Opened 5 years ago by jhrozek.

Currently the default access provider for the AD identity provider is "permit", while the AD access provider checks if the account is expired. But many users would like the option to check the access based on a filter. Currently the only way is to configure the LDAP access provider, which is error-prone and clumsy.

We should add one more configuration option "ad_access_filter" that, if set, would augment the AD access provider so that it first checks if the account is expired and if it's not, then proceed to check if the account matches the filter without having to configure the LDAP provider.

See also ticket #1977 and #1975.


Fields changed

priority: major => critical

Fields changed

summary: RFE: Add a new option ad_access_filter => [RFE] Add a new option ad_access_filter

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.1

Fields changed

owner: somebody => jhrozek
status: new => assigned

Unlikely this will make 1.11.1, I'd rather have more time to review and have this feature as part of 1.11.2. Can be delivered to RHEL-7 as a patch.

milestone: SSSD 1.11.1 => SSSD 1.11.2

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Fields changed

changelog: => The SSSD acquired a new option ad_access_filter, that, if set, restricts who can log in to the client machine. All users must match that filter. As opposed to the ldap_access_filter, no additional configuration is needed, all connection parameters are inherited from the AD provider.

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.11.2

2 years ago

Login to comment on this ticket.

Metadata