diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2015-04-20 10:51:04 -0400 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-05-28 11:13:20 +0200 |
commit | 772464c842968d6e544118ae1aa7c49a7cda2ad6 (patch) | |
tree | 3aa8f4c12f6053d51029c561f0c66a1b11778f70 | |
parent | 31bafc0d6384a30859aa18f3bd22275aec6ee2ed (diff) | |
download | sssd-772464c842968d6e544118ae1aa7c49a7cda2ad6.tar.gz sssd-772464c842968d6e544118ae1aa7c49a7cda2ad6.tar.xz sssd-772464c842968d6e544118ae1aa7c49a7cda2ad6.zip |
AD GPO: Change default to "enforcing"
When a user enrolls a system against Active Directory, the expectation
is that the client will honor the centrally-managed settings. In the
past, we avoided changing the default (and left it in permissive mode,
to warn admins that the security policy wasn't being honored) in order
to avoid breaking existing Active Directory enrollments.
However, sufficient time has likely passed for users to become
accustomed to using GPOs to manage access-control for their systems.
This patch changes the default to enforcing and adds a configure flag
for distributions to use if they wish to provide a different default
value.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-rw-r--r-- | configure.ac | 1 | ||||
-rw-r--r-- | src/conf_macros.m4 | 22 | ||||
-rw-r--r-- | src/man/Makefile.am | 7 | ||||
-rw-r--r-- | src/man/sssd-ad.5.xml | 5 | ||||
-rw-r--r-- | src/providers/ad/ad_opts.h | 3 |
5 files changed, 35 insertions, 3 deletions
diff --git a/configure.ac b/configure.ac index 1f9c6f867..8d57c664b 100644 --- a/configure.ac +++ b/configure.ac @@ -123,6 +123,7 @@ WITH_CIFS_PLUGIN_PATH WITH_SELINUX WITH_NSCD WITH_SEMANAGE +WITH_AD_GPO_DEFAULT WITH_GPO_CACHE_PATH WITH_NOLOGIN_SHELL WITH_APP_LIBS diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 index 86876fab8..0ed1694cb 100644 --- a/src/conf_macros.m4 +++ b/src/conf_macros.m4 @@ -792,3 +792,25 @@ AC_DEFUN([WITH_SSSD_USER], AC_DEFINE_UNQUOTED(SSSD_USER, "$SSSD_USER", ["The default user to run SSSD as"]) AM_CONDITIONAL([SSSD_USER], [test x"$with_sssd_user" != x]) ]) + + AC_DEFUN([WITH_AD_GPO_DEFAULT], + [ AC_ARG_WITH([ad-gpo-default], + [AS_HELP_STRING([--with-ad-gpo-default=[enforcing|permissive]], + [Default enforcing level for AD GPO access-control (enforcing)] + ) + ] + ) + GPO_DEFAULT=enforcing + + if test x"$with_ad_gpo_default" != x; then + if test ! "$with_ad_gpo_default" = "enforcing" -a ! "$with_ad_gpo_default" = "permissive"; then + AC_MSG_ERROR("GPO Default must be either "enforcing" or "permissive") + else + GPO_DEFAULT=$with_ad_gpo_default + fi + fi + + AC_SUBST(GPO_DEFAULT) + AC_DEFINE_UNQUOTED(AD_GPO_ACCESS_MODE_DEFAULT, "$GPO_DEFAULT", ["The default enforcing level for AD GPO access-control"]) + AM_CONDITIONAL([GPO_DEFAULT_ENFORCING], [test x"$GPO_DEFAULT" = xenforcing]) + ]) diff --git a/src/man/Makefile.am b/src/man/Makefile.am index 6a1cf7dce..1ef1da48c 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -24,7 +24,12 @@ endif if BUILD_IFP IFP_CONDS = ;with_ifp endif -CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS) +if GPO_DEFAULT_ENFORCING +GPO_CONDS = ;gpo_default_enforcing +else +GPO_CONDS = ;gpo_default_permissive +endif +CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS) #Special Rules: diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 55c7a4045..938a443e0 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -324,9 +324,12 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) </listitem> </itemizedlist> </para> - <para> + <para condition="gpo_default_permissive"> Default: permissive </para> + <para condition="gpo_default_enforcing"> + Default: enforcing + </para> </listitem> </varlistentry> diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index 6e859447f..0f03d3383 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -27,6 +27,7 @@ #include "db/sysdb_services.h" #include "db/sysdb_autofs.h" #include "providers/ldap/ldap_common.h" +#include "config.h" struct dp_option ad_basic_opts[] = { { "ad_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, @@ -38,7 +39,7 @@ struct dp_option ad_basic_opts[] = { { "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, - { "ad_gpo_access_control", DP_OPT_STRING, { "permissive" }, NULL_STRING }, + { "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING }, { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, |