diff options
| author | Stephen Gallagher <sgallagh@redhat.com> | 2010-12-09 10:14:04 -0500 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-12-13 07:30:24 -0500 |
| commit | 1b474ef7011f4bf9ce4aac85dbc9827a9486d5eb (patch) | |
| tree | 6e1e86dfbddffac5a89201f26dd4be9ed92eaab1 /src/man | |
| parent | 583a018d792c7a28762ecfba74ef1adc48724f22 (diff) | |
| download | sssd-1b474ef7011f4bf9ce4aac85dbc9827a9486d5eb.tar.gz sssd-1b474ef7011f4bf9ce4aac85dbc9827a9486d5eb.tar.xz sssd-1b474ef7011f4bf9ce4aac85dbc9827a9486d5eb.zip | |
Add group support to the simple access provider
This patch adds simple_allow_groups and simple_deny_groups options
to the simple access provider. It makes it possible to grant or
deny access based on a user's group memberships within the domain.
This patch makes one minor change to previous functionality: now
all deny rules will supersede allow rules. Previously, if both
simple_allow_users and simple_deny_users were set with the same
value, the allow would win.
https://fedorahosted.org/sssd/ticket/440
Diffstat (limited to 'src/man')
| -rw-r--r-- | src/man/sssd-simple.5.xml | 56 |
1 files changed, 43 insertions, 13 deletions
diff --git a/src/man/sssd-simple.5.xml b/src/man/sssd-simple.5.xml index 260d15ab8..fd3b8b0e2 100644 --- a/src/man/sssd-simple.5.xml +++ b/src/man/sssd-simple.5.xml @@ -36,21 +36,30 @@ </para> <para> The simple access provider grants or denies access based on an - access or deny list of user names. Here to following rules apply: + access or deny list of user or group names. The following rules + apply: <itemizedlist> <listitem> - <para>If both lists are empty, access is granted</para> + <para>If all lists are empty, access is granted</para> </listitem> <listitem> - <para>If simple_allow_users is set, only users from this - list are allowed access.</para> - <para>This setting supersedes the simple_deny_users list - (which would be redundant).</para> + <para> + If any list is provided, the order of evaluation is + allow,deny. This means that any matching deny rule + will supersede any matched allow rule. + </para> </listitem> <listitem> - <para>If the simple_allow_users list is empty, users are - allowed access unless they appear in the - simple_deny_users list</para> + <para> + If either or both "allow" lists are provided, all + users are denied unless they appear in the list. + </para> + </listitem> + <listitem> + <para> + If only "deny" lists are provided, all users are + granted access unless they appear in the list. + </para> </listitem> </itemizedlist> </para> @@ -69,8 +78,8 @@ <term>simple_allow_users (string)</term> <listitem> <para> - Comma separated list of users who are allowed to log - in. + Comma separated list of users who are allowed to + log in. </para> </listitem> </varlistentry> @@ -79,8 +88,29 @@ <term>simple_deny_users (string)</term> <listitem> <para> - Comma separated list of users who are rejected if - simple_allow_users is not set. + Comma separated list of users who are explicitly + denied access. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>simple_allow_groups (string)</term> + <listitem> + <para> + Comma separated list of groups that are allowed to + log in. This applies only to groups within this + SSSD domain. Local groups are not evaluated. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>simple_deny_groups (string)</term> + <listitem> + <para> + Comma separated list of groups that are explicitly + denied access. This applies only to groups within + this SSSD domain. Local groups are not evaluated. </para> </listitem> </varlistentry> |