commit 1f51fa44c8f7b05c62322a275c4ef7b1fce2bd47 Author: Simon Clark simon.richard.clark@gmail.com Date: Tue Oct 28 21:45:38 2014 +0000
Revised SSSD GPO Access Control entry.
en-US/Security.xml | 35 +++++++++++++++++------------------ 1 files changed, 17 insertions(+), 18 deletions(-) --- diff --git a/en-US/Security.xml b/en-US/Security.xml index 7aa05b1..a6d667a 100644 --- a/en-US/Security.xml +++ b/en-US/Security.xml @@ -9,27 +9,26 @@ <title>Security</title> <para /> <section id="sssd-gpo-access-control"> - <title>sssd GPO-Based Access Control</title> - <para>sssd now supports centrally managed, host-based access + <title>SSSD GPO-Based Access Control</title> + <para>SSSD now supports centrally managed, host-based access control in an Active Directory (AD) environment, using Group Policy Objects (GPOs).</para> <para>GPO policy settings are commonly used to manage - host-based access control in an AD environment. The two - specific GPO policy settings ("Allow Log On Locally" and "Deny - Log On Locally") essentially serve as a whitelist and blacklist - of domain users and groups and they are consulted to determine - whether logon access to a particular domain computer should be - granted. When dealing with GPOs, there is typically a - management piece (used to specify the policy settings) and a - client-side processing piece (used to retrieve and enforce the - policy settings). Since the two policy settings of interest - already exist in AD, administrators can continue to use - existing mechanisms to specify the whitelist and blacklist - (e.g. Group Policy Management Console, or GPMC). As such, this - change is related only to the retrieval and enforcement of - policy settings. This change only affects SSSD's AD provider. - It has no effect on any other SSSD providers (e.g. IPA - provider).</para> + host-based access control in an AD environment. SSSD supports + local logons, remote logons, service logons and more. Each of + these standard GPO security options can be mapped to any PAM + service, allowing administrators to comprehensively configure + their systems.</para> + <para>This enhancement to SSSD is related only to the retrieval + and enforcement of AD policy settings. Administrators can + continue to use the existing AD tool set to specify policy + settings.</para> + <para>The new functionality only affects SSSD's AD provider and + has no effect on any other SSSD providers (e.g. IPA provider). + By default, SSSD's AD provider will be installed in + "permissive" mode, so that it won't break upgrades. + Administrators will need to set "enforcing" mode manually (see + sssd-ad(5)).</para> <para>More information about this change can be found at: <ulink url="https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration" /></para> </section>
docs-commits@lists.fedoraproject.org