= Proposed Self Contained Change: SSSD GPO-Based Access Control = https://fedoraproject.org/wiki/Changes/SssdGpoBasedAccessControl
Change owner(s): Yassir Elley yelley@redhat.com
This change will enhance SSSD, by adding support for centrally managed host- based access control in an Active Directory (AD) environment, using Group Policy Objects (GPOs).
== Detailed Description == GPO policy settings are commonly used to manage host-based access control in an AD environment. The two specific GPO policy settings ("Allow Log On Locally" and "Deny Log On Locally") essentially serve as a whitelist and blacklist of domain users/groups that are consulted to determine whether logon access to a particular domain computer should be granted. When dealing with GPOs, there is typically a management piece (used to specify the policy settings) and a client-side processing piece (used to retrieve and enforce the policy settings). Since the two policy settings of interest already exist in AD, administrators can continue to use existing mechanisms to specify the whitelist and blacklist (e.g. Group Policy Management Console, or GPMC). As such, this change is related only to the retrieval and enforcement of policy settings. This change only affects SSSD's AD provider. It has no effect on any other SSSD providers (e.g. IPA provider).The upstream design page that includes deeper technical details can be found in the SSSD Trac [1].
== Scope == Since this functionality would only be used by SSSD's AD provider, it would be included as part of the sssd-ad package. This feature would be enabled by default, but a build switch would be provided for those who do not wish to deploy this functionality.
* Other developers: N/A (not a System Wide Change) * Release engineering: N/A (not a System Wide Change) * Policies and guidelines: N/A (not a System Wide Change)
[1] http://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration
devel-announce@lists.fedoraproject.org