commit ae2a6cc9f72795673239937521b1ed5e0e51ee28 Author: Simon Clark simon.richard.clark@gmail.com Date: Mon Oct 27 22:02:58 2014 +0000
Added an entry for sssd GPO-Based Access Control.
en-US/Security.xml | 35 +++++++++++++++++++++++++++++------ 1 files changed, 29 insertions(+), 6 deletions(-) --- diff --git a/en-US/Security.xml b/en-US/Security.xml index b2d8812..7aa05b1 100644 --- a/en-US/Security.xml +++ b/en-US/Security.xml @@ -1,13 +1,36 @@ -<?xml version='1.0' encoding='utf-8' ?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ +<?xml version='1.0' encoding='utf-8'?> +<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" + "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" +[ <!ENTITY % BOOK_ENTITIES SYSTEM "Release_Notes.ent"> %BOOK_ENTITIES; ]> - <section> <title>Security</title> <para /> - + <section id="sssd-gpo-access-control"> + <title>sssd GPO-Based Access Control</title> + <para>sssd now supports centrally managed, host-based access + control in an Active Directory (AD) environment, using Group + Policy Objects (GPOs).</para> + <para>GPO policy settings are commonly used to manage + host-based access control in an AD environment. The two + specific GPO policy settings ("Allow Log On Locally" and "Deny + Log On Locally") essentially serve as a whitelist and blacklist + of domain users and groups and they are consulted to determine + whether logon access to a particular domain computer should be + granted. When dealing with GPOs, there is typically a + management piece (used to specify the policy settings) and a + client-side processing piece (used to retrieve and enforce the + policy settings). Since the two policy settings of interest + already exist in AD, administrators can continue to use + existing mechanisms to specify the whitelist and blacklist + (e.g. Group Policy Management Console, or GPMC). As such, this + change is related only to the retrieval and enforcement of + policy settings. This change only affects SSSD's AD provider. + It has no effect on any other SSSD providers (e.g. IPA + provider).</para> + <para>More information about this change can be found at: + <ulink url="https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration" /></para> + </section> </section> - -
docs-commits@lists.fedoraproject.org