From 1b474ef7011f4bf9ce4aac85dbc9827a9486d5eb Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 9 Dec 2010 10:14:04 -0500 Subject: Add group support to the simple access provider This patch adds simple_allow_groups and simple_deny_groups options to the simple access provider. It makes it possible to grant or deny access based on a user's group memberships within the domain. This patch makes one minor change to previous functionality: now all deny rules will supersede allow rules. Previously, if both simple_allow_users and simple_deny_users were set with the same value, the allow would win. https://fedorahosted.org/sssd/ticket/440 --- src/man/sssd-simple.5.xml | 56 ++++++++++++++++++++++++++++++++++++----------- 1 file changed, 43 insertions(+), 13 deletions(-) (limited to 'src/man/sssd-simple.5.xml') diff --git a/src/man/sssd-simple.5.xml b/src/man/sssd-simple.5.xml index 260d15ab..fd3b8b0e 100644 --- a/src/man/sssd-simple.5.xml +++ b/src/man/sssd-simple.5.xml @@ -36,21 +36,30 @@ The simple access provider grants or denies access based on an - access or deny list of user names. Here to following rules apply: + access or deny list of user or group names. The following rules + apply: - If both lists are empty, access is granted + If all lists are empty, access is granted - If simple_allow_users is set, only users from this - list are allowed access. - This setting supersedes the simple_deny_users list - (which would be redundant). + + If any list is provided, the order of evaluation is + allow,deny. This means that any matching deny rule + will supersede any matched allow rule. + - If the simple_allow_users list is empty, users are - allowed access unless they appear in the - simple_deny_users list + + If either or both "allow" lists are provided, all + users are denied unless they appear in the list. + + + + + If only "deny" lists are provided, all users are + granted access unless they appear in the list. + @@ -69,8 +78,8 @@ simple_allow_users (string) - Comma separated list of users who are allowed to log - in. + Comma separated list of users who are allowed to + log in. @@ -79,8 +88,29 @@ simple_deny_users (string) - Comma separated list of users who are rejected if - simple_allow_users is not set. + Comma separated list of users who are explicitly + denied access. + + + + + simple_allow_groups (string) + + + Comma separated list of groups that are allowed to + log in. This applies only to groups within this + SSSD domain. Local groups are not evaluated. + + + + + + simple_deny_groups (string) + + + Comma separated list of groups that are explicitly + denied access. This applies only to groups within + this SSSD domain. Local groups are not evaluated. -- cgit