5 files changed, 35 insertions, 3 deletions

diff --git a/configure.ac b/configure.ac
index 1f9c6f867..8d57c664b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -123,6 +123,7 @@ WITH_CIFS_PLUGIN_PATH
 WITH_SELINUX
 WITH_NSCD
 WITH_SEMANAGE
+WITH_AD_GPO_DEFAULT
 WITH_GPO_CACHE_PATH
 WITH_NOLOGIN_SHELL
 WITH_APP_LIBS
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 86876fab8..0ed1694cb 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -792,3 +792,25 @@ AC_DEFUN([WITH_SSSD_USER],
     AC_DEFINE_UNQUOTED(SSSD_USER, "$SSSD_USER", ["The default user to run SSSD as"])
     AM_CONDITIONAL([SSSD_USER], [test x"$with_sssd_user" != x])
   ])
+
+  AC_DEFUN([WITH_AD_GPO_DEFAULT],
+    [ AC_ARG_WITH([ad-gpo-default],
+                  [AS_HELP_STRING([--with-ad-gpo-default=[enforcing|permissive]],
+                                  [Default enforcing level for AD GPO access-control (enforcing)]
+                                 )
+                  ]
+                 )
+      GPO_DEFAULT=enforcing
+
+      if test x"$with_ad_gpo_default" != x; then
+          if test ! "$with_ad_gpo_default" = "enforcing" -a ! "$with_ad_gpo_default" = "permissive"; then
+              AC_MSG_ERROR("GPO Default must be either "enforcing" or "permissive")
+          else
+              GPO_DEFAULT=$with_ad_gpo_default
+          fi
+      fi
+
+      AC_SUBST(GPO_DEFAULT)
+      AC_DEFINE_UNQUOTED(AD_GPO_ACCESS_MODE_DEFAULT, "$GPO_DEFAULT", ["The default enforcing level for AD GPO access-control"])
+      AM_CONDITIONAL([GPO_DEFAULT_ENFORCING], [test x"$GPO_DEFAULT" = xenforcing])
+  ])
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 6a1cf7dce..1ef1da48c 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -24,7 +24,12 @@ endif
 if BUILD_IFP
 IFP_CONDS = ;with_ifp
 endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)
+if GPO_DEFAULT_ENFORCING
+GPO_CONDS = ;gpo_default_enforcing
+else
+GPO_CONDS = ;gpo_default_permissive
+endif
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)
 
 
 #Special Rules:
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 55c7a4045..938a443e0 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -324,9 +324,12 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
                                 </listitem>
                             </itemizedlist>
                         </para>
-                        <para>
+                        <para condition="gpo_default_permissive">
                             Default: permissive
                         </para>
+                        <para condition="gpo_default_enforcing">
+                            Default: enforcing
+                        </para>
                     </listitem>
                 </varlistentry>
 
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 6e859447f..0f03d3383 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -27,6 +27,7 @@
 #include "db/sysdb_services.h"
 #include "db/sysdb_autofs.h"
 #include "providers/ldap/ldap_common.h"
+#include "config.h"
 
 struct dp_option ad_basic_opts[] = {
     { "ad_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
@@ -38,7 +39,7 @@ struct dp_option ad_basic_opts[] = {
     { "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
-    { "ad_gpo_access_control", DP_OPT_STRING, { "permissive" }, NULL_STRING },
+    { "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
     { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
     { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },