On Thu, Feb 25, 2010 at 08:50:43PM +0100, Sumit Bose wrote:
> On Thu, Feb 25, 2010 at 01:27:34PM -0500, Stephen Gallagher wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 02/25/2010 12:31 PM, Sumit Bose wrote:
>>> Hi,
>>>
>>> this is the second try to fix #392. This patch adds a new provider
>>> called simple wuth na access target which can allow/deny access based on
>>> a list of user names.
>>
>> Nack.
>>
>> You didn't update the SSSDConfigTest.py. It's failing.
>>
>> The manpages are very hard to follow. Might I suggest that they read:
>>
>>
>> NAME
>> sssd-simple - the configuration file for SSSD's 'simple'
access-control
>> provider
>>
>>
>> DESCRIPTION
>> This manual page describes the configuration of the simple
>> access-control provider for sssd(8). For a detailed syntax reference,
>> refer to the “FILE FORMAT” section of the sssd.conf(5) manual page.
>>
>> The simple access provider grants or denies access based on an access
>> or deny list of user names. Here the following rules apply:
>>
>> · If both lists are empty, access is granted
>>
>> · If simple_allow_users is set, only users from this list are allowed
>> access.
>> This setting supersedes the simple_deny_users list (which would be
>> redundant.
>>
>> · If the simple_allow_users list is empty, users are allowed access
>> unless they appear in the simple_deny_users list
>>
>> CONFIGURATION OPTIONS
>> Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual
>> page
>> for details on the configuration of an SSSD domain.
>>
>> simple_allow_users (string)
>> Comma separated list of users who are allowed to log in.
>>
>> simple_deny_users (string)
>> Comma separated list of users who are rejected if
>> simple_allow_users is not set.
>>
>> EXAMPLE
>> The following example assumes that SSSD is correctly configured and
>>
example.com is one of the domains in the [sssd] section. This
>> examples
>> shows only the simple access provider-specific options.
>>
>> [
domain/example.com]
>> access_provider = simple
>> simple_allow_users = user1, user2
>>
>> SEE ALSO
>> sssd.conf(5), sssd(8)
>>
>> AUTHORS
>> The SSSD upstream -
http://fedorahosted.org/sssd
>>
>>
>> - --
>> Stephen Gallagher
>> RHCE 804006346421761
>>
>> Delivering value year after year.
>> Red Hat ranks #1 in value among software vendors.
>>
http://www.redhat.com/promo/vendor/
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>> Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAkuGwRYACgkQeiVVYja6o6NDHQCeOpet+8kppGGyxVUkhCm+Za4I
>> J74AoJN6Koz74cdXKsNEz6qE0kQhy9D8
>> =7923
>> -----END PGP SIGNATURE-----
> new version attached.
>
Hi,
I forgot to include a hunk in the Makefile.am patch. New version
attached.
bye,
Sumit
Should allowing access override denying access in the interests of good
security practices? e.g., if I'm in both Allow and Deny lists, I'd
expect to be denied access.
--
David O'Brien
Red Hat Asia Pacific Pty Ltd
He who asks is a fool for five minutes, but he who does not ask remains
a fool forever."
~ Chinese proverb