From 6d7450e996e7c699aebf12422cc7080a0782b9ae Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Mon, 6 Jun 2011 22:26:28 -0400 Subject: Rewrite HBAC rule evaluator Add helper function msgs2attrs_array This function converts a list of ldb_messages into a list of sysdb_attrs. Conflicts: src/providers/ldap/ldap_common.c src/providers/ldap/ldap_common.h Add HBAC evaluator and tests Add helper functions for looking up HBAC rule components Remove old HBAC implementation Add new HBAC lookup and evaluation routines Conflicts: Makefile.am Add ipa_hbac_refresh option This option describes the time between refreshes of the HBAC rules on the IPA server. Add ipa_hbac_treat_deny_as option By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period. Treat NULL or empty rhost as unknown Previously, we were assuming this meant it was coming from the localhost, but this is not a safe assumption. We will now treat it as unknown and it will fail to match any rule that requires a specified srchost or group of srchosts. libipa_hbac: Support case-insensitive comparisons with UTF8 UTF8 HBAC test Fix memory leak in ipa_hbac_evaluate_rules https://fedorahosted.org/sssd/ticket/933 Fix incorrect NULL check in ipa_hbac_common.c https://fedorahosted.org/sssd/ticket/936 Require matched version and release for libipa_hbac Add rule validator to libipa_hbac https://fedorahosted.org/sssd/ticket/943 --- src/man/sssd-ipa.5.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) (limited to 'src/man') diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 4604c55e..8d2ba681 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -175,6 +175,48 @@ + + ipa_hbac_refresh (integer) + + + The amount of time between lookups of the HBAC + rules against the IPA server. This will reduce the + latency and load on the IPA server if there are + many access-control requests made in a short + period. + + + Default: 5 (seconds) + + + + + ipa_hbac_treat_deny_as (string) + + + This option specifies how to treat the deprecated + DENY-type HBAC rules. As of FreeIPA v2.1, DENY + rules are no longer supported on the server. All + users of FreeIPA will need to migrate their rules + to use only the ALLOW rules. The client will + support two modes of operation during this + transition period: + + + DENY_ALL: If any HBAC DENY + rules are detected, all users will be denied + access. + + + IGNORE: SSSD will ignore any + DENY rules. Be very careful with this option, as + it may result in opening unintended access. + + + Default: DENY_ALL + + + -- cgit