diff options
| author | Yassir Elley <yelley@redhat.com> | 2014-01-20 11:17:06 -0500 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-05-13 22:17:14 +0200 |
| commit | 60cab26b12df9a2153823972cde0c38ca86e01b9 (patch) | |
| tree | cc10c6da23140859116510f50cfa7dedbff48277 /src/man/sssd-ad.5.xml | |
| parent | 66e1502f956ee71de6cd51c37f7752f8aa14f5f5 (diff) | |
| download | sssd-60cab26b12df9a2153823972cde0c38ca86e01b9.tar.gz sssd-60cab26b12df9a2153823972cde0c38ca86e01b9.tar.xz sssd-60cab26b12df9a2153823972cde0c38ca86e01b9.zip | |
Implemented LDAP component of GPO-based access control
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/man/sssd-ad.5.xml')
| -rw-r--r-- | src/man/sssd-ad.5.xml | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 539310992..21f735e0a 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -253,6 +253,70 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) </varlistentry> <varlistentry> + <term>ad_gpo_access_control (string)</term> + <listitem> + <para> + This option specifies the operation mode for + GPO-based access control functionality: + whether it operates in disabled mode, enforcing + mode, or permissive mode. Please note that the + <quote>access_provider</quote> option must be + explicitly set to <quote>ad</quote> in order for + this option to have an effect. + </para> + <para> + GPO-based access control functionality uses GPO + policy settings to determine whether or not a + particular user is allowed to logon to a particular + host. + </para> + <para> + NOTE: If the operation mode is set to enforcing, it + is possible that users that were previously allowed + logon access will now be denied logon access (as + dictated by the GPO policy settings). In order to + facilitate a smooth transition for administrators, + a permissive mode is available that will not enforce + the access control rules, but will evaluate them and + will output a syslog message if access would have + been denied. By examining the logs, administrators + can then make the necessary changes before setting + the mode to enforcing. + </para> + <para> + There are three supported values for this option: + <itemizedlist> + <listitem> + <para> + disabled: GPO-based access control rules + are neither evaluated nor enforced. + </para> + </listitem> + <listitem> + <para> + enforcing: GPO-based access control + rules are evaluated and enforced. + </para> + </listitem> + <listitem> + <para> + permissive: GPO-based access control + rules are evaluated, but not enforced. + Instead, a syslog message will be + emitted indicating that the user would + have been denied access if this option's + value were set to enforcing. + </para> + </listitem> + </itemizedlist> + </para> + <para> + Default: permissive + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>dyndns_update (boolean)</term> <listitem> <para> |