#3701 [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login.
Closed: Fixed 5 years ago Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1564088

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

1. Proposed title of this feature request
---> Allow changing default behavior of SSSD from an allow-any default to a
deny-any default when it can't find any GPOs to apply to a user login.


3. What is the nature and description of the request?
---> need an option to allow changing default behavior of SSSD from an
allow-any default to a deny-any default when it can't find any GPOs to apply to
a user login.

4. Why does the customer need this? (List the business requirements here)
---> The only available behavior of SSSD in the event of GPO processing errors
is to allow any realm logins to occur. Meaning if someone messes up a GPO
security setting (or who knows what else) we no longer have any effective
access control on our Linux hosts. We should be able to specify a deny-login
policy in the event GPO processing errors occur.

5. How would the customer like to achieve this? (List the functional
requirements here)
---> Add a config option to sssd.conf called 'ad_gpo_deny_access_on_failure' to
ensure if any GPO processing failures are encountered no realm logins are
permitted.

6. For each functional requirement listed in question 5, specify how Red Hat
and the customer can test to confirm the requirement is successfully
implemented.
--->

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1564088

5 years ago

Metadata Update from @jhrozek:
- Issue assigned to mzidek
- Issue priority set to: minor
- Issue set to the milestone: SSSD 2.0

5 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1 (was: SSSD 2.0)

5 years ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4715

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata