F21 Self Contained Change: SSSD GPO-Based Access Control

Jaroslav Reznik jreznik at redhat.com
Wed May 14 12:15:32 UTC 2014

= Proposed Self Contained Change: SSSD GPO-Based Access Control = 

Change owner(s): Yassir Elley <yelley at redhat.com>

This change will enhance SSSD, by adding support for centrally managed host-
based access control in an Active Directory (AD) environment, using Group 
Policy Objects (GPOs). 

== Detailed Description ==
GPO policy settings are commonly used to manage host-based access control in 
an AD environment. The two specific GPO policy settings ("Allow Log On 
Locally" and "Deny Log On Locally") essentially serve as a whitelist and 
blacklist of domain users/groups that are consulted to determine whether logon 
access to a particular domain computer should be granted. When dealing with 
GPOs, there is typically a management piece (used to specify the policy 
settings) and a client-side processing piece (used to retrieve and enforce the 
policy settings). Since the two policy settings of interest already exist in 
AD, administrators can continue to use existing mechanisms to specify the 
whitelist and blacklist (e.g. Group Policy Management Console, or GPMC). As 
such, this change is related only to the retrieval and enforcement of policy 
settings. This change only affects SSSD's AD provider. It has no effect on any 
other SSSD providers (e.g. IPA provider).The upstream design page that 
includes deeper technical details can be found in the SSSD Trac [1].

== Scope ==
Since this functionality would only be used by SSSD's AD provider, it would be 
included as part of the sssd-ad package. This feature would be enabled by 
default, but a build switch would be provided for those who do not wish to 
deploy this functionality.

* Other developers: N/A (not a System Wide Change) 
* Release engineering: N/A (not a System Wide Change) 
* Policies and guidelines: N/A (not a System Wide Change) 

[1] http://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration 
devel-announce mailing list
devel-announce at lists.fedoraproject.org

More information about the devel mailing list