diff options
author | Yassir Elley <yelley@redhat.com> | 2014-09-05 18:45:12 -0400 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-09-08 17:39:53 +0200 |
commit | f2b40ec8a4158fec75873828e4980965abbe7f66 (patch) | |
tree | 623c1a1ca917fc94a284fe9c25b0d75e222d40a1 | |
parent | 97216f0129366ac4850f62dac104b8d280ba517a (diff) | |
download | sssd-f2b40ec8a4158fec75873828e4980965abbe7f66.tar.gz sssd-f2b40ec8a4158fec75873828e4980965abbe7f66.tar.xz sssd-f2b40ec8a4158fec75873828e4980965abbe7f66.zip |
AD-GPO: config changes for gpo_map_* options
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 9 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ad.conf | 8 | ||||
-rw-r--r-- | src/man/sssd-ad.5.xml | 329 | ||||
-rw-r--r-- | src/providers/ad/ad_common.h | 9 | ||||
-rw-r--r-- | src/providers/ad/ad_opts.h | 8 |
5 files changed, 362 insertions, 1 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index dc18e1e82..9a49b91b9 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -170,7 +170,14 @@ option_strings = { 'ad_enable_gc' : _('Whether to use the Global Catalog for lookups'), 'ad_gpo_access_control' : _('Operation mode for GPO-based access control'), 'ad_gpo_cache_timeout' : _("The amount of time between lookups of the GPO policy files against the AD server"), - + 'ad_gpo_map_interactive' : _('PAM service names that map to the GPO (Deny)InteractiveLogonRight policy settings'), + 'ad_gpo_map_remote_interactive' : _('PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight policy settings'), + 'ad_gpo_map_network' : _('PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings'), + 'ad_gpo_map_batch' : _('PAM service names that map to the GPO (Deny)BatchLogonRight policy settings'), + 'ad_gpo_map_service' : _('PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings'), + 'ad_gpo_map_permit' : _('PAM service names for which GPO-based access is always granted'), + 'ad_gpo_map_deny' : _('PAM service names for which GPO-based access is always denied'), + 'ad_gpo_default_right' : _('Default logon right (or permit/deny) to use for unmapped PAM service names'), # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), 'krb5_server' : _('Kerberos server address'), diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index b9f01bc84..5dd4fb435 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -8,6 +8,14 @@ ad_access_filter = str, None, false ad_enable_gc = bool, None, false ad_gpo_access_control = str, None, false ad_gpo_cache_timeout = int, None, false +ad_gpo_map_interactive = str, None, false +ad_gpo_map_remote_interactive = str, None, false +ad_gpo_map_network = str, None, false +ad_gpo_map_batch = str, None, false +ad_gpo_map_service = str, None, false +ad_gpo_map_permit = str, None, false +ad_gpo_map_deny = str, None, false +ad_gpo_default_right = str, None, false ldap_uri = str, None, false ldap_backup_uri = str, None, false ldap_search_base = str, None, false diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 8d90bc133..f63a496d9 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -333,6 +333,335 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) </varlistentry> <varlistentry> + <term>ad_gpo_map_interactive (string)</term> + <listitem> + <para> + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the InteractiveLogonRight and + DenyInteractiveLogonRight policy settings. + </para> + <para> + It is possible to add another PAM service name + to the default set by using <quote>+service_name</quote> + or to explicitly remove a PAM service name from + the default set by using <quote>-service_name</quote>. + For example, in order to replace a default PAM service + name for this logon right (e.g. <quote>login</quote>) + with a custom pam service name (e.g. <quote>my_pam_service</quote>), + you would use the following configuration: + <programlisting> + ad_gpo_map_interactive = +my_pam_service, -login + </programlisting> + </para> + <para> + Default: the default set of PAM service names includes: + <itemizedlist> + <listitem> + <para> + login + </para> + </listitem> + <listitem> + <para> + su + </para> + </listitem> + <listitem> + <para> + su-l + </para> + </listitem> + <listitem> + <para> + gdm-fingerprint + </para> + </listitem> + <listitem> + <para> + gdm-password + </para> + </listitem> + <listitem> + <para> + gdm-smartcard + </para> + </listitem> + <listitem> + <para> + kdm + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ad_gpo_map_remote_interactive (string)</term> + <listitem> + <para> + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the RemoteInteractiveLogonRight and + DenyRemoteInteractiveLogonRight policy settings. + </para> + <para> + It is possible to add another PAM service name + to the default set by using <quote>+service_name</quote> + or to explicitly remove a PAM service name from + the default set by using <quote>-service_name</quote>. + For example, in order to replace a default PAM service + name for this logon right (e.g. <quote>sshd</quote>) + with a custom pam service name (e.g. <quote>my_pam_service</quote>), + you would use the following configuration: + <programlisting> + ad_gpo_map_remote_interactive = +my_pam_service, -sshd + </programlisting> + </para> + <para> + Default: the default set of PAM service names includes: + <itemizedlist> + <listitem> + <para> + sshd + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ad_gpo_map_network (string)</term> + <listitem> + <para> + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the NetworkLogonRight and DenyNetworkLogonRight + policy settings. + </para> + <para> + It is possible to add another PAM service name + to the default set by using <quote>+service_name</quote> + or to explicitly remove a PAM service name from + the default set by using <quote>-service_name</quote>. + For example, in order to replace a default PAM service + name for this logon right (e.g. <quote>ftp</quote>) + with a custom pam service name (e.g. <quote>my_pam_service</quote>), + you would use the following configuration: + <programlisting> + ad_gpo_map_network = +my_pam_service, -ftp + </programlisting> + </para> + <para> + Default: the default set of PAM service names includes: + <itemizedlist> + <listitem> + <para> + ftp + </para> + </listitem> + <listitem> + <para> + samba + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ad_gpo_map_batch (string)</term> + <listitem> + <para> + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the BatchLogonRight and DenyBatchLogonRight + policy settings. + </para> + <para> + It is possible to add another PAM service name + to the default set by using <quote>+service_name</quote> + or to explicitly remove a PAM service name from + the default set by using <quote>-service_name</quote>. + For example, in order to replace a default PAM service + name for this logon right (e.g. <quote>crond</quote>) + with a custom pam service name (e.g. <quote>my_pam_service</quote>), + you would use the following configuration: + <programlisting> + ad_gpo_map_batch = +my_pam_service, -crond + </programlisting> + </para> + <para> + Default: the default set of PAM service names includes: + <itemizedlist> + <listitem> + <para> + crond + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ad_gpo_map_service (string)</term> + <listitem> + <para> + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the ServiceLogonRight and DenyServiceLogonRight + policy settings. + </para> + <para> + It is possible to add a PAM service name to the + default set by using <quote>+service_name</quote>. + Since the default set is empty, it is not possible + to remove a PAM service name from the default set. + For example, in order to add a custom pam service + name (e.g. <quote>my_pam_service</quote>), you + would use the following configuration: + <programlisting> + ad_gpo_map_service = +my_pam_service + </programlisting> + </para> + <para> + Default: not set + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ad_gpo_map_permit (string)</term> + <listitem> + <para> + A comma-separated list of PAM service names for + which GPO-based access is always granted, regardless + of any GPO Logon Rights. + </para> + <para> + It is possible to add another PAM service name + to the default set by using <quote>+service_name</quote> + or to explicitly remove a PAM service name from + the default set by using <quote>-service_name</quote>. + For example, in order to replace a default PAM service + name for unconditionally permitted access (e.g. <quote>sudo</quote>) + with a custom pam service name (e.g. <quote>my_pam_service</quote>), + you would use the following configuration: + <programlisting> + ad_gpo_map_permit = +my_pam_service, -sudo + </programlisting> + </para> + <para> + Default: the default set of PAM service names includes: + <itemizedlist> + <listitem> + <para> + sudo + </para> + </listitem> + <listitem> + <para> + sudo-i + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ad_gpo_map_deny (string)</term> + <listitem> + <para> + A comma-separated list of PAM service names for + which GPO-based access is always denied, regardless + of any GPO Logon Rights. + </para> + <para> + It is possible to add a PAM service name to the + default set by using <quote>+service_name</quote>. + Since the default set is empty, it is not possible + to remove a PAM service name from the default set. + For example, in order to add a custom pam service + name (e.g. <quote>my_pam_service</quote>), you + would use the following configuration: + <programlisting> + ad_gpo_map_deny = +my_pam_service + </programlisting> + </para> + <para> + Default: not set + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ad_gpo_default_right (string)</term> + <listitem> + <para> + This option defines how access control is evaluated + for PAM service names that are not explicitly listed + in one of the ad_gpo_map_* options. This option can be + set in two different manners. First, this option can + be set to use a default logon right. For example, if + this option is set to 'interactive', it means that + unmapped PAM service names will be processed based on + the InteractiveLogonRight and DenyInteractiveLogonRight + policy settings. Alternatively, this option can be set + to either always permit or always deny access for + unmapped PAM service names. + </para> + <para> + Supported values for this option include: + <itemizedlist> + <listitem> + <para> + interactive + </para> + </listitem> + <listitem> + <para> + remote_interactive + </para> + </listitem> + <listitem> + <para> + network + </para> + </listitem> + <listitem> + <para> + batch + </para> + </listitem> + <listitem> + <para> + service + </para> + </listitem> + <listitem> + <para> + permit + </para> + </listitem> + <listitem> + <para> + deny + </para> + </listitem> + </itemizedlist> + </para> + <para> + Default: deny + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>dyndns_update (boolean)</term> <listitem> <para> diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index c3dc6c1a7..df8dcffea 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -52,6 +52,14 @@ enum ad_basic_opt { AD_ENABLE_GC, AD_GPO_ACCESS_CONTROL, AD_GPO_CACHE_TIMEOUT, + AD_GPO_MAP_INTERACTIVE, + AD_GPO_MAP_REMOTE_INTERACTIVE, + AD_GPO_MAP_NETWORK, + AD_GPO_MAP_BATCH, + AD_GPO_MAP_SERVICE, + AD_GPO_MAP_PERMIT, + AD_GPO_MAP_DENY, + AD_GPO_DEFAULT_RIGHT, AD_OPTS_BASIC /* opts counter */ }; @@ -141,4 +149,5 @@ int ad_sudo_init(struct be_ctx *be_ctx, struct ad_id_ctx *id_ctx, struct bet_ops **ops, void **pvt_data); + #endif /* AD_COMMON_H_ */ diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index a82f7a9e0..1429b990e 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -40,6 +40,14 @@ struct dp_option ad_basic_opts[] = { { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ad_gpo_access_control", DP_OPT_STRING, { "permissive" }, NULL_STRING }, { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, + { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_network", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_batch", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_service", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_permit", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_deny", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_default_right", DP_OPT_STRING, NULL_STRING, NULL_STRING }, DP_OPTION_TERMINATOR }; |