[SSSD] Unexpected behavior with 'simple_allow_users ='

When I have the following in a domain in sssd.conf: access_provider = simple simple_allow_users = ... any user is allowed to log in, despite the list being empty. The documentation states: · If either or both "allow" lists are provided, all users are denied unless they appear in the list. The list is provided, albeit empty. The simple access provider however treats it as if it is not provided. Since sssd.conf is often machine driven, this sort of unexpected behavior leads to security problems like: removing a user from the simple_allow_users acl leads to any user being allowed. I've worked around this behavior in realmd, by using a comma: Bug: https://bugs.freedesktop.org/show_bug.cgi?id=56027 Patch: https://bugs.freedesktop.org/attachment.cgi?id=68615 Attached is a rough patch to sssd which fixes the problem. If you think it's worth fixing, I'll do more testing on it. Cheers, Stef