When I have the following in a domain in sssd.conf:
access_provider = simple
simple_allow_users =
... any user is allowed to log in, despite the list being empty. The
documentation states:
· If either or both "allow" lists are provided, all users are denied
unless they appear in the list.
The list is provided, albeit empty. The simple access provider however
treats it as if it is not provided.
Since sssd.conf is often machine driven, this sort of unexpected
behavior leads to security problems like: removing a user from the
simple_allow_users acl leads to any user being allowed.
I've worked around this behavior in realmd, by using a comma:
Bug:
https://bugs.freedesktop.org/show_bug.cgi?id=56027
Patch:
https://bugs.freedesktop.org/attachment.cgi?id=68615
Attached is a rough patch to sssd which fixes the problem. If you think
it's worth fixing, I'll do more testing on it.
Cheers,
Stef