#3701 [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login.
Closed: Fixed 2 months ago by jhrozek. Opened 7 months ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1564088

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

1. Proposed title of this feature request
---> Allow changing default behavior of SSSD from an allow-any default to a
deny-any default when it can't find any GPOs to apply to a user login.


3. What is the nature and description of the request?
---> need an option to allow changing default behavior of SSSD from an
allow-any default to a deny-any default when it can't find any GPOs to apply to
a user login.

4. Why does the customer need this? (List the business requirements here)
---> The only available behavior of SSSD in the event of GPO processing errors
is to allow any realm logins to occur. Meaning if someone messes up a GPO
security setting (or who knows what else) we no longer have any effective
access control on our Linux hosts. We should be able to specify a deny-login
policy in the event GPO processing errors occur.

5. How would the customer like to achieve this? (List the functional
requirements here)
---> Add a config option to sssd.conf called 'ad_gpo_deny_access_on_failure' to
ensure if any GPO processing failures are encountered no realm logins are
permitted.

6. For each functional requirement listed in question 5, specify how Red Hat
and the customer can test to confirm the requirement is successfully
implemented.
--->

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1564088

7 months ago

Metadata Update from @jhrozek:
- Issue assigned to mzidek
- Issue priority set to: minor
- Issue set to the milestone: SSSD 2.0

7 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1 (was: SSSD 2.0)

3 months ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 months ago

Login to comment on this ticket.

Metadata