summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYassir Elley <yelley@redhat.com>2014-09-05 18:45:12 -0400
committerJakub Hrozek <jhrozek@redhat.com>2014-09-08 17:39:53 +0200
commitf2b40ec8a4158fec75873828e4980965abbe7f66 (patch)
tree623c1a1ca917fc94a284fe9c25b0d75e222d40a1
parent97216f0129366ac4850f62dac104b8d280ba517a (diff)
downloadsssd-f2b40ec8a4158fec75873828e4980965abbe7f66.tar.gz
sssd-f2b40ec8a4158fec75873828e4980965abbe7f66.tar.xz
sssd-f2b40ec8a4158fec75873828e4980965abbe7f66.zip
AD-GPO: config changes for gpo_map_* options
Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat
-rw-r--r--src/config/SSSDConfig/__init__.py.in9
-rw-r--r--src/config/etc/sssd.api.d/sssd-ad.conf8
-rw-r--r--src/man/sssd-ad.5.xml329
-rw-r--r--src/providers/ad/ad_common.h9
-rw-r--r--src/providers/ad/ad_opts.h8
5 files changed, 362 insertions, 1 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index dc18e1e82..9a49b91b9 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -170,7 +170,14 @@ option_strings = {
'ad_enable_gc' : _('Whether to use the Global Catalog for lookups'),
'ad_gpo_access_control' : _('Operation mode for GPO-based access control'),
'ad_gpo_cache_timeout' : _("The amount of time between lookups of the GPO policy files against the AD server"),
-
+ 'ad_gpo_map_interactive' : _('PAM service names that map to the GPO (Deny)InteractiveLogonRight policy settings'),
+ 'ad_gpo_map_remote_interactive' : _('PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight policy settings'),
+ 'ad_gpo_map_network' : _('PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings'),
+ 'ad_gpo_map_batch' : _('PAM service names that map to the GPO (Deny)BatchLogonRight policy settings'),
+ 'ad_gpo_map_service' : _('PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings'),
+ 'ad_gpo_map_permit' : _('PAM service names for which GPO-based access is always granted'),
+ 'ad_gpo_map_deny' : _('PAM service names for which GPO-based access is always denied'),
+ 'ad_gpo_default_right' : _('Default logon right (or permit/deny) to use for unmapped PAM service names'),
# [provider/krb5]
'krb5_kdcip' : _('Kerberos server address'),
'krb5_server' : _('Kerberos server address'),
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index b9f01bc84..5dd4fb435 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -8,6 +8,14 @@ ad_access_filter = str, None, false
ad_enable_gc = bool, None, false
ad_gpo_access_control = str, None, false
ad_gpo_cache_timeout = int, None, false
+ad_gpo_map_interactive = str, None, false
+ad_gpo_map_remote_interactive = str, None, false
+ad_gpo_map_network = str, None, false
+ad_gpo_map_batch = str, None, false
+ad_gpo_map_service = str, None, false
+ad_gpo_map_permit = str, None, false
+ad_gpo_map_deny = str, None, false
+ad_gpo_default_right = str, None, false
ldap_uri = str, None, false
ldap_backup_uri = str, None, false
ldap_search_base = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 8d90bc133..f63a496d9 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -333,6 +333,335 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
</varlistentry>
<varlistentry>
+ <term>ad_gpo_map_interactive (string)</term>
+ <listitem>
+ <para>
+ A comma-separated list of PAM service names for
+ which GPO-based access control is evaluated based on
+ the InteractiveLogonRight and
+ DenyInteractiveLogonRight policy settings.
+ </para>
+ <para>
+ It is possible to add another PAM service name
+ to the default set by using <quote>+service_name</quote>
+ or to explicitly remove a PAM service name from
+ the default set by using <quote>-service_name</quote>.
+ For example, in order to replace a default PAM service
+ name for this logon right (e.g. <quote>login</quote>)
+ with a custom pam service name (e.g. <quote>my_pam_service</quote>),
+ you would use the following configuration:
+ <programlisting>
+ ad_gpo_map_interactive = +my_pam_service, -login
+ </programlisting>
+ </para>
+ <para>
+ Default: the default set of PAM service names includes:
+ <itemizedlist>
+ <listitem>
+ <para>
+ login
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ su
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ su-l
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ gdm-fingerprint
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ gdm-password
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ gdm-smartcard
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ kdm
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ad_gpo_map_remote_interactive (string)</term>
+ <listitem>
+ <para>
+ A comma-separated list of PAM service names for
+ which GPO-based access control is evaluated based on
+ the RemoteInteractiveLogonRight and
+ DenyRemoteInteractiveLogonRight policy settings.
+ </para>
+ <para>
+ It is possible to add another PAM service name
+ to the default set by using <quote>+service_name</quote>
+ or to explicitly remove a PAM service name from
+ the default set by using <quote>-service_name</quote>.
+ For example, in order to replace a default PAM service
+ name for this logon right (e.g. <quote>sshd</quote>)
+ with a custom pam service name (e.g. <quote>my_pam_service</quote>),
+ you would use the following configuration:
+ <programlisting>
+ ad_gpo_map_remote_interactive = +my_pam_service, -sshd
+ </programlisting>
+ </para>
+ <para>
+ Default: the default set of PAM service names includes:
+ <itemizedlist>
+ <listitem>
+ <para>
+ sshd
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ad_gpo_map_network (string)</term>
+ <listitem>
+ <para>
+ A comma-separated list of PAM service names for
+ which GPO-based access control is evaluated based on
+ the NetworkLogonRight and DenyNetworkLogonRight
+ policy settings.
+ </para>
+ <para>
+ It is possible to add another PAM service name
+ to the default set by using <quote>+service_name</quote>
+ or to explicitly remove a PAM service name from
+ the default set by using <quote>-service_name</quote>.
+ For example, in order to replace a default PAM service
+ name for this logon right (e.g. <quote>ftp</quote>)
+ with a custom pam service name (e.g. <quote>my_pam_service</quote>),
+ you would use the following configuration:
+ <programlisting>
+ ad_gpo_map_network = +my_pam_service, -ftp
+ </programlisting>
+ </para>
+ <para>
+ Default: the default set of PAM service names includes:
+ <itemizedlist>
+ <listitem>
+ <para>
+ ftp
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ samba
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ad_gpo_map_batch (string)</term>
+ <listitem>
+ <para>
+ A comma-separated list of PAM service names for
+ which GPO-based access control is evaluated based on
+ the BatchLogonRight and DenyBatchLogonRight
+ policy settings.
+ </para>
+ <para>
+ It is possible to add another PAM service name
+ to the default set by using <quote>+service_name</quote>
+ or to explicitly remove a PAM service name from
+ the default set by using <quote>-service_name</quote>.
+ For example, in order to replace a default PAM service
+ name for this logon right (e.g. <quote>crond</quote>)
+ with a custom pam service name (e.g. <quote>my_pam_service</quote>),
+ you would use the following configuration:
+ <programlisting>
+ ad_gpo_map_batch = +my_pam_service, -crond
+ </programlisting>
+ </para>
+ <para>
+ Default: the default set of PAM service names includes:
+ <itemizedlist>
+ <listitem>
+ <para>
+ crond
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ad_gpo_map_service (string)</term>
+ <listitem>
+ <para>
+ A comma-separated list of PAM service names for
+ which GPO-based access control is evaluated based on
+ the ServiceLogonRight and DenyServiceLogonRight
+ policy settings.
+ </para>
+ <para>
+ It is possible to add a PAM service name to the
+ default set by using <quote>+service_name</quote>.
+ Since the default set is empty, it is not possible
+ to remove a PAM service name from the default set.
+ For example, in order to add a custom pam service
+ name (e.g. <quote>my_pam_service</quote>), you
+ would use the following configuration:
+ <programlisting>
+ ad_gpo_map_service = +my_pam_service
+ </programlisting>
+ </para>
+ <para>
+ Default: not set
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ad_gpo_map_permit (string)</term>
+ <listitem>
+ <para>
+ A comma-separated list of PAM service names for
+ which GPO-based access is always granted, regardless
+ of any GPO Logon Rights.
+ </para>
+ <para>
+ It is possible to add another PAM service name
+ to the default set by using <quote>+service_name</quote>
+ or to explicitly remove a PAM service name from
+ the default set by using <quote>-service_name</quote>.
+ For example, in order to replace a default PAM service
+ name for unconditionally permitted access (e.g. <quote>sudo</quote>)
+ with a custom pam service name (e.g. <quote>my_pam_service</quote>),
+ you would use the following configuration:
+ <programlisting>
+ ad_gpo_map_permit = +my_pam_service, -sudo
+ </programlisting>
+ </para>
+ <para>
+ Default: the default set of PAM service names includes:
+ <itemizedlist>
+ <listitem>
+ <para>
+ sudo
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ sudo-i
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ad_gpo_map_deny (string)</term>
+ <listitem>
+ <para>
+ A comma-separated list of PAM service names for
+ which GPO-based access is always denied, regardless
+ of any GPO Logon Rights.
+ </para>
+ <para>
+ It is possible to add a PAM service name to the
+ default set by using <quote>+service_name</quote>.
+ Since the default set is empty, it is not possible
+ to remove a PAM service name from the default set.
+ For example, in order to add a custom pam service
+ name (e.g. <quote>my_pam_service</quote>), you
+ would use the following configuration:
+ <programlisting>
+ ad_gpo_map_deny = +my_pam_service
+ </programlisting>
+ </para>
+ <para>
+ Default: not set
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ad_gpo_default_right (string)</term>
+ <listitem>
+ <para>
+ This option defines how access control is evaluated
+ for PAM service names that are not explicitly listed
+ in one of the ad_gpo_map_* options. This option can be
+ set in two different manners. First, this option can
+ be set to use a default logon right. For example, if
+ this option is set to 'interactive', it means that
+ unmapped PAM service names will be processed based on
+ the InteractiveLogonRight and DenyInteractiveLogonRight
+ policy settings. Alternatively, this option can be set
+ to either always permit or always deny access for
+ unmapped PAM service names.
+ </para>
+ <para>
+ Supported values for this option include:
+ <itemizedlist>
+ <listitem>
+ <para>
+ interactive
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ remote_interactive
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ network
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ batch
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ service
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ permit
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ deny
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ Default: deny
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>dyndns_update (boolean)</term>
<listitem>
<para>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index c3dc6c1a7..df8dcffea 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -52,6 +52,14 @@ enum ad_basic_opt {
AD_ENABLE_GC,
AD_GPO_ACCESS_CONTROL,
AD_GPO_CACHE_TIMEOUT,
+ AD_GPO_MAP_INTERACTIVE,
+ AD_GPO_MAP_REMOTE_INTERACTIVE,
+ AD_GPO_MAP_NETWORK,
+ AD_GPO_MAP_BATCH,
+ AD_GPO_MAP_SERVICE,
+ AD_GPO_MAP_PERMIT,
+ AD_GPO_MAP_DENY,
+ AD_GPO_DEFAULT_RIGHT,
AD_OPTS_BASIC /* opts counter */
};
@@ -141,4 +149,5 @@ int ad_sudo_init(struct be_ctx *be_ctx,
struct ad_id_ctx *id_ctx,
struct bet_ops **ops,
void **pvt_data);
+
#endif /* AD_COMMON_H_ */
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index a82f7a9e0..1429b990e 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -40,6 +40,14 @@ struct dp_option ad_basic_opts[] = {
{ "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ad_gpo_access_control", DP_OPT_STRING, { "permissive" }, NULL_STRING },
{ "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
+ { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ad_gpo_map_network", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ad_gpo_map_batch", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ad_gpo_map_service", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ad_gpo_map_permit", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ad_gpo_map_deny", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ad_gpo_default_right", DP_OPT_STRING, NULL_STRING, NULL_STRING },
DP_OPTION_TERMINATOR
};
generated by cgit (git 2.34.1) at 2024-04-24 01:59:48 +0000