diff options
| author | Stephen Gallagher <sgallagh@redhat.com> | 2011-06-06 22:26:28 -0400 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-08-04 10:28:14 -0400 |
| commit | 6d7450e996e7c699aebf12422cc7080a0782b9ae (patch) | |
| tree | de1c1245e0b888d80493f859c79938ba37d5e1fb /src/man/sssd-ipa.5.xml | |
| parent | 47985a7b3a1a4c00b38350692197ce360e5e36ef (diff) | |
| download | sssd-6d7450e996e7c699aebf12422cc7080a0782b9ae.tar.gz sssd-6d7450e996e7c699aebf12422cc7080a0782b9ae.tar.xz sssd-6d7450e996e7c699aebf12422cc7080a0782b9ae.zip | |
Rewrite HBAC rule evaluator
Add helper function msgs2attrs_array
This function converts a list of ldb_messages into a list of
sysdb_attrs.
Conflicts:
src/providers/ldap/ldap_common.c
src/providers/ldap/ldap_common.h
Add HBAC evaluator and tests
Add helper functions for looking up HBAC rule components
Remove old HBAC implementation
Add new HBAC lookup and evaluation routines
Conflicts:
Makefile.am
Add ipa_hbac_refresh option
This option describes the time between refreshes of the HBAC rules
on the IPA server.
Add ipa_hbac_treat_deny_as option
By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.
Treat NULL or empty rhost as unknown
Previously, we were assuming this meant it was coming from the
localhost, but this is not a safe assumption. We will now treat it
as unknown and it will fail to match any rule that requires a
specified srchost or group of srchosts.
libipa_hbac: Support case-insensitive comparisons with UTF8
UTF8 HBAC test
Fix memory leak in ipa_hbac_evaluate_rules
https://fedorahosted.org/sssd/ticket/933
Fix incorrect NULL check in ipa_hbac_common.c
https://fedorahosted.org/sssd/ticket/936
Require matched version and release for libipa_hbac
Add rule validator to libipa_hbac
https://fedorahosted.org/sssd/ticket/943
Diffstat (limited to 'src/man/sssd-ipa.5.xml')
| -rw-r--r-- | src/man/sssd-ipa.5.xml | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 4604c55e2..8d2ba6818 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -175,6 +175,48 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>ipa_hbac_refresh (integer)</term> + <listitem> + <para> + The amount of time between lookups of the HBAC + rules against the IPA server. This will reduce the + latency and load on the IPA server if there are + many access-control requests made in a short + period. + </para> + <para> + Default: 5 (seconds) + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ipa_hbac_treat_deny_as (string)</term> + <listitem> + <para> + This option specifies how to treat the deprecated + DENY-type HBAC rules. As of FreeIPA v2.1, DENY + rules are no longer supported on the server. All + users of FreeIPA will need to migrate their rules + to use only the ALLOW rules. The client will + support two modes of operation during this + transition period: + </para> + <para> + <emphasis>DENY_ALL</emphasis>: If any HBAC DENY + rules are detected, all users will be denied + access. + </para> + <para> + <emphasis>IGNORE</emphasis>: SSSD will ignore any + DENY rules. Be very careful with this option, as + it may result in opening unintended access. + </para> + <para> + Default: DENY_ALL + </para> + </listitem> + </varlistentry> </variablelist> </para> |