From f2b40ec8a4158fec75873828e4980965abbe7f66 Mon Sep 17 00:00:00 2001 From: Yassir Elley Date: Fri, 5 Sep 2014 18:45:12 -0400 Subject: AD-GPO: config changes for gpo_map_* options MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Sumit Bose Reviewed-by: Lukáš Slebodník --- src/config/SSSDConfig/__init__.py.in | 9 +- src/config/etc/sssd.api.d/sssd-ad.conf | 8 + src/man/sssd-ad.5.xml | 329 +++++++++++++++++++++++++++++++++ src/providers/ad/ad_common.h | 9 + src/providers/ad/ad_opts.h | 8 + 5 files changed, 362 insertions(+), 1 deletion(-) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index dc18e1e82..9a49b91b9 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -170,7 +170,14 @@ option_strings = { 'ad_enable_gc' : _('Whether to use the Global Catalog for lookups'), 'ad_gpo_access_control' : _('Operation mode for GPO-based access control'), 'ad_gpo_cache_timeout' : _("The amount of time between lookups of the GPO policy files against the AD server"), - + 'ad_gpo_map_interactive' : _('PAM service names that map to the GPO (Deny)InteractiveLogonRight policy settings'), + 'ad_gpo_map_remote_interactive' : _('PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight policy settings'), + 'ad_gpo_map_network' : _('PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings'), + 'ad_gpo_map_batch' : _('PAM service names that map to the GPO (Deny)BatchLogonRight policy settings'), + 'ad_gpo_map_service' : _('PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings'), + 'ad_gpo_map_permit' : _('PAM service names for which GPO-based access is always granted'), + 'ad_gpo_map_deny' : _('PAM service names for which GPO-based access is always denied'), + 'ad_gpo_default_right' : _('Default logon right (or permit/deny) to use for unmapped PAM service names'), # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), 'krb5_server' : _('Kerberos server address'), diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index b9f01bc84..5dd4fb435 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -8,6 +8,14 @@ ad_access_filter = str, None, false ad_enable_gc = bool, None, false ad_gpo_access_control = str, None, false ad_gpo_cache_timeout = int, None, false +ad_gpo_map_interactive = str, None, false +ad_gpo_map_remote_interactive = str, None, false +ad_gpo_map_network = str, None, false +ad_gpo_map_batch = str, None, false +ad_gpo_map_service = str, None, false +ad_gpo_map_permit = str, None, false +ad_gpo_map_deny = str, None, false +ad_gpo_default_right = str, None, false ldap_uri = str, None, false ldap_backup_uri = str, None, false ldap_search_base = str, None, false diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 8d90bc133..f63a496d9 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -332,6 +332,335 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) + + ad_gpo_map_interactive (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the InteractiveLogonRight and + DenyInteractiveLogonRight policy settings. + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for this logon right (e.g. login) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + + ad_gpo_map_interactive = +my_pam_service, -login + + + + Default: the default set of PAM service names includes: + + + + login + + + + + su + + + + + su-l + + + + + gdm-fingerprint + + + + + gdm-password + + + + + gdm-smartcard + + + + + kdm + + + + + + + + + ad_gpo_map_remote_interactive (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the RemoteInteractiveLogonRight and + DenyRemoteInteractiveLogonRight policy settings. + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for this logon right (e.g. sshd) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + + ad_gpo_map_remote_interactive = +my_pam_service, -sshd + + + + Default: the default set of PAM service names includes: + + + + sshd + + + + + + + + + ad_gpo_map_network (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the NetworkLogonRight and DenyNetworkLogonRight + policy settings. + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for this logon right (e.g. ftp) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + + ad_gpo_map_network = +my_pam_service, -ftp + + + + Default: the default set of PAM service names includes: + + + + ftp + + + + + samba + + + + + + + + + ad_gpo_map_batch (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the BatchLogonRight and DenyBatchLogonRight + policy settings. + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for this logon right (e.g. crond) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + + ad_gpo_map_batch = +my_pam_service, -crond + + + + Default: the default set of PAM service names includes: + + + + crond + + + + + + + + + ad_gpo_map_service (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the ServiceLogonRight and DenyServiceLogonRight + policy settings. + + + It is possible to add a PAM service name to the + default set by using +service_name. + Since the default set is empty, it is not possible + to remove a PAM service name from the default set. + For example, in order to add a custom pam service + name (e.g. my_pam_service), you + would use the following configuration: + + ad_gpo_map_service = +my_pam_service + + + + Default: not set + + + + + + ad_gpo_map_permit (string) + + + A comma-separated list of PAM service names for + which GPO-based access is always granted, regardless + of any GPO Logon Rights. + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for unconditionally permitted access (e.g. sudo) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + + ad_gpo_map_permit = +my_pam_service, -sudo + + + + Default: the default set of PAM service names includes: + + + + sudo + + + + + sudo-i + + + + + + + + + ad_gpo_map_deny (string) + + + A comma-separated list of PAM service names for + which GPO-based access is always denied, regardless + of any GPO Logon Rights. + + + It is possible to add a PAM service name to the + default set by using +service_name. + Since the default set is empty, it is not possible + to remove a PAM service name from the default set. + For example, in order to add a custom pam service + name (e.g. my_pam_service), you + would use the following configuration: + + ad_gpo_map_deny = +my_pam_service + + + + Default: not set + + + + + + ad_gpo_default_right (string) + + + This option defines how access control is evaluated + for PAM service names that are not explicitly listed + in one of the ad_gpo_map_* options. This option can be + set in two different manners. First, this option can + be set to use a default logon right. For example, if + this option is set to 'interactive', it means that + unmapped PAM service names will be processed based on + the InteractiveLogonRight and DenyInteractiveLogonRight + policy settings. Alternatively, this option can be set + to either always permit or always deny access for + unmapped PAM service names. + + + Supported values for this option include: + + + + interactive + + + + + remote_interactive + + + + + network + + + + + batch + + + + + service + + + + + permit + + + + + deny + + + + + + Default: deny + + + + dyndns_update (boolean) diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index c3dc6c1a7..df8dcffea 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -52,6 +52,14 @@ enum ad_basic_opt { AD_ENABLE_GC, AD_GPO_ACCESS_CONTROL, AD_GPO_CACHE_TIMEOUT, + AD_GPO_MAP_INTERACTIVE, + AD_GPO_MAP_REMOTE_INTERACTIVE, + AD_GPO_MAP_NETWORK, + AD_GPO_MAP_BATCH, + AD_GPO_MAP_SERVICE, + AD_GPO_MAP_PERMIT, + AD_GPO_MAP_DENY, + AD_GPO_DEFAULT_RIGHT, AD_OPTS_BASIC /* opts counter */ }; @@ -141,4 +149,5 @@ int ad_sudo_init(struct be_ctx *be_ctx, struct ad_id_ctx *id_ctx, struct bet_ops **ops, void **pvt_data); + #endif /* AD_COMMON_H_ */ diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index a82f7a9e0..1429b990e 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -40,6 +40,14 @@ struct dp_option ad_basic_opts[] = { { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ad_gpo_access_control", DP_OPT_STRING, { "permissive" }, NULL_STRING }, { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, + { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_network", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_batch", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_service", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_permit", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_deny", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_default_right", DP_OPT_STRING, NULL_STRING, NULL_STRING }, DP_OPTION_TERMINATOR }; -- cgit