From fdfe33975cd902bf7a334e49f2667f6346c4e6ae Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 16 Mar 2015 11:28:25 +0100
Subject: IPA: Deprecate the ipa_hbac_treat_deny_as option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://fedorahosted.org/sssd/ticket/2603

Deny rules have not been supported by the IPA server since 2.1. We
should deprecate the ipa_hbac_treat_deny_as option.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 src/providers/ipa/ipa_access.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src')

diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index 2ebaec33..d1ae1899 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -178,6 +178,10 @@ static void ipa_hbac_check(struct tevent_req *req)
         hbac_ctx->get_deny_rules = false;
     } else {
         hbac_ctx->get_deny_rules = true;
+        sss_log(SSS_LOG_NOTICE,
+                "WARNING: Using deny rules is deprecated, the option "
+                "ipa_hbac_treat_deny_as will be removed in the next "
+                "upstream version\n");
     }
 
     ret = hbac_retry(hbac_ctx);
-- 
cgit