From 98fc4cbc838615a88b9725a13ab7491e89cbac32 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Fri, 1 Jul 2011 16:12:58 -0400 Subject: Add ipa_hbac_treat_deny_as option By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period. --- src/man/sssd-ipa.5.xml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'src/man/sssd-ipa.5.xml') diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index f728e9cc..8d2ba681 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -190,6 +190,33 @@ + + ipa_hbac_treat_deny_as (string) + + + This option specifies how to treat the deprecated + DENY-type HBAC rules. As of FreeIPA v2.1, DENY + rules are no longer supported on the server. All + users of FreeIPA will need to migrate their rules + to use only the ALLOW rules. The client will + support two modes of operation during this + transition period: + + + DENY_ALL: If any HBAC DENY + rules are detected, all users will be denied + access. + + + IGNORE: SSSD will ignore any + DENY rules. Be very careful with this option, as + it may result in opening unintended access. + + + Default: DENY_ALL + + + -- cgit