summaryrefslogtreecommitdiffstats
path: root/src/man/sssd-ad.5.xml
diff options
context:
space:
mode:
authorYassir Elley <yelley@redhat.com>2014-01-20 11:17:06 -0500
committerJakub Hrozek <jhrozek@redhat.com>2014-05-13 22:17:14 +0200
commit60cab26b12df9a2153823972cde0c38ca86e01b9 (patch)
treecc10c6da23140859116510f50cfa7dedbff48277 /src/man/sssd-ad.5.xml
parent66e1502f956ee71de6cd51c37f7752f8aa14f5f5 (diff)
downloadsssd-60cab26b12df9a2153823972cde0c38ca86e01b9.tar.gz
sssd-60cab26b12df9a2153823972cde0c38ca86e01b9.tar.xz
sssd-60cab26b12df9a2153823972cde0c38ca86e01b9.zip
Implemented LDAP component of GPO-based access control
Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/man/sssd-ad.5.xml')
-rw-r--r--src/man/sssd-ad.5.xml64
1 files changed, 64 insertions, 0 deletions
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 539310992..21f735e0a 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -253,6 +253,70 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
</varlistentry>
<varlistentry>
+ <term>ad_gpo_access_control (string)</term>
+ <listitem>
+ <para>
+ This option specifies the operation mode for
+ GPO-based access control functionality:
+ whether it operates in disabled mode, enforcing
+ mode, or permissive mode. Please note that the
+ <quote>access_provider</quote> option must be
+ explicitly set to <quote>ad</quote> in order for
+ this option to have an effect.
+ </para>
+ <para>
+ GPO-based access control functionality uses GPO
+ policy settings to determine whether or not a
+ particular user is allowed to logon to a particular
+ host.
+ </para>
+ <para>
+ NOTE: If the operation mode is set to enforcing, it
+ is possible that users that were previously allowed
+ logon access will now be denied logon access (as
+ dictated by the GPO policy settings). In order to
+ facilitate a smooth transition for administrators,
+ a permissive mode is available that will not enforce
+ the access control rules, but will evaluate them and
+ will output a syslog message if access would have
+ been denied. By examining the logs, administrators
+ can then make the necessary changes before setting
+ the mode to enforcing.
+ </para>
+ <para>
+ There are three supported values for this option:
+ <itemizedlist>
+ <listitem>
+ <para>
+ disabled: GPO-based access control rules
+ are neither evaluated nor enforced.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ enforcing: GPO-based access control
+ rules are evaluated and enforced.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ permissive: GPO-based access control
+ rules are evaluated, but not enforced.
+ Instead, a syslog message will be
+ emitted indicating that the user would
+ have been denied access if this option's
+ value were set to enforcing.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ Default: permissive
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>dyndns_update (boolean)</term>
<listitem>
<para>