[release-notes] Revised SSSD GPO Access Control entry.

[Simon Clark]

commit 1f51fa44c8f7b05c62322a275c4ef7b1fce2bd47
Author: Simon Clark <simon.richard.clark at gmail.com>
Date:   Tue Oct 28 21:45:38 2014 +0000

    Revised SSSD GPO Access Control entry.

 en-US/Security.xml |   35 +++++++++++++++++------------------
 1 files changed, 17 insertions(+), 18 deletions(-)
---
diff --git a/en-US/Security.xml b/en-US/Security.xml
index 7aa05b1..a6d667a 100644
--- a/en-US/Security.xml
+++ b/en-US/Security.xml
@@ -9,27 +9,26 @@
   <title>Security</title>
   <para />
   <section id="sssd-gpo-access-control">
-    <title>sssd GPO-Based Access Control</title>
-    <para>sssd now supports centrally managed, host-based access
+    <title>SSSD GPO-Based Access Control</title>
+    <para>SSSD now supports centrally managed, host-based access
     control in an Active Directory (AD) environment, using Group
     Policy Objects (GPOs).</para>
     <para>GPO policy settings are commonly used to manage
-    host-based access control in an AD environment. The two
-    specific GPO policy settings ("Allow Log On Locally" and "Deny
-    Log On Locally") essentially serve as a whitelist and blacklist
-    of domain users and groups and they are consulted to determine
-    whether logon access to a particular domain computer should be
-    granted. When dealing with GPOs, there is typically a
-    management piece (used to specify the policy settings) and a
-    client-side processing piece (used to retrieve and enforce the
-    policy settings). Since the two policy settings of interest
-    already exist in AD, administrators can continue to use
-    existing mechanisms to specify the whitelist and blacklist
-    (e.g. Group Policy Management Console, or GPMC). As such, this
-    change is related only to the retrieval and enforcement of
-    policy settings. This change only affects SSSD's AD provider.
-    It has no effect on any other SSSD providers (e.g. IPA
-    provider).</para>
+    host-based access control in an AD environment. SSSD supports
+    local logons, remote logons, service logons and more. Each of
+    these standard GPO security options can be mapped to any PAM
+    service, allowing administrators to comprehensively configure
+    their systems.</para>
+    <para>This enhancement to SSSD is related only to the retrieval
+    and enforcement of AD policy settings. Administrators can
+    continue to use the existing AD tool set to specify policy
+    settings.</para>
+    <para>The new functionality only affects SSSD's AD provider and
+    has no effect on any other SSSD providers (e.g. IPA provider).
+    By default, SSSD's AD provider will be installed in
+    "permissive" mode, so that it won't break upgrades.
+    Administrators will need to set "enforcing" mode manually (see
+    sssd-ad(5)).</para>
     <para>More information about this change can be found at: 
     <ulink url="https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration" /></para>
   </section>