diff options
-rw-r--r-- | configure.ac | 1 | ||||
-rw-r--r-- | src/conf_macros.m4 | 22 | ||||
-rw-r--r-- | src/man/Makefile.am | 7 | ||||
-rw-r--r-- | src/man/sssd-ad.5.xml | 5 | ||||
-rw-r--r-- | src/providers/ad/ad_opts.h | 3 |
5 files changed, 35 insertions, 3 deletions
diff --git a/configure.ac b/configure.ac index 1f9c6f867..8d57c664b 100644 --- a/configure.ac +++ b/configure.ac @@ -123,6 +123,7 @@ WITH_CIFS_PLUGIN_PATH WITH_SELINUX WITH_NSCD WITH_SEMANAGE +WITH_AD_GPO_DEFAULT WITH_GPO_CACHE_PATH WITH_NOLOGIN_SHELL WITH_APP_LIBS diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 index 86876fab8..0ed1694cb 100644 --- a/src/conf_macros.m4 +++ b/src/conf_macros.m4 @@ -792,3 +792,25 @@ AC_DEFUN([WITH_SSSD_USER], AC_DEFINE_UNQUOTED(SSSD_USER, "$SSSD_USER", ["The default user to run SSSD as"]) AM_CONDITIONAL([SSSD_USER], [test x"$with_sssd_user" != x]) ]) + + AC_DEFUN([WITH_AD_GPO_DEFAULT], + [ AC_ARG_WITH([ad-gpo-default], + [AS_HELP_STRING([--with-ad-gpo-default=[enforcing|permissive]], + [Default enforcing level for AD GPO access-control (enforcing)] + ) + ] + ) + GPO_DEFAULT=enforcing + + if test x"$with_ad_gpo_default" != x; then + if test ! "$with_ad_gpo_default" = "enforcing" -a ! "$with_ad_gpo_default" = "permissive"; then + AC_MSG_ERROR("GPO Default must be either "enforcing" or "permissive") + else + GPO_DEFAULT=$with_ad_gpo_default + fi + fi + + AC_SUBST(GPO_DEFAULT) + AC_DEFINE_UNQUOTED(AD_GPO_ACCESS_MODE_DEFAULT, "$GPO_DEFAULT", ["The default enforcing level for AD GPO access-control"]) + AM_CONDITIONAL([GPO_DEFAULT_ENFORCING], [test x"$GPO_DEFAULT" = xenforcing]) + ]) diff --git a/src/man/Makefile.am b/src/man/Makefile.am index 6a1cf7dce..1ef1da48c 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -24,7 +24,12 @@ endif if BUILD_IFP IFP_CONDS = ;with_ifp endif -CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS) +if GPO_DEFAULT_ENFORCING +GPO_CONDS = ;gpo_default_enforcing +else +GPO_CONDS = ;gpo_default_permissive +endif +CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS) #Special Rules: diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 55c7a4045..938a443e0 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -324,9 +324,12 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) </listitem> </itemizedlist> </para> - <para> + <para condition="gpo_default_permissive"> Default: permissive </para> + <para condition="gpo_default_enforcing"> + Default: enforcing + </para> </listitem> </varlistentry> diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index 6e859447f..0f03d3383 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -27,6 +27,7 @@ #include "db/sysdb_services.h" #include "db/sysdb_autofs.h" #include "providers/ldap/ldap_common.h" +#include "config.h" struct dp_option ad_basic_opts[] = { { "ad_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, @@ -38,7 +39,7 @@ struct dp_option ad_basic_opts[] = { { "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, - { "ad_gpo_access_control", DP_OPT_STRING, { "permissive" }, NULL_STRING }, + { "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING }, { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, |