F21 Self Contained Change: SSSD GPO-Based Access Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



= Proposed Self Contained Change: SSSD GPO-Based Access Control = 
https://fedoraproject.org/wiki/Changes/SssdGpoBasedAccessControl

Change owner(s): Yassir Elley <yelley@xxxxxxxxxx>

This change will enhance SSSD, by adding support for centrally managed host-
based access control in an Active Directory (AD) environment, using Group 
Policy Objects (GPOs). 

== Detailed Description ==
GPO policy settings are commonly used to manage host-based access control in 
an AD environment. The two specific GPO policy settings ("Allow Log On 
Locally" and "Deny Log On Locally") essentially serve as a whitelist and 
blacklist of domain users/groups that are consulted to determine whether logon 
access to a particular domain computer should be granted. When dealing with 
GPOs, there is typically a management piece (used to specify the policy 
settings) and a client-side processing piece (used to retrieve and enforce the 
policy settings). Since the two policy settings of interest already exist in 
AD, administrators can continue to use existing mechanisms to specify the 
whitelist and blacklist (e.g. Group Policy Management Console, or GPMC). As 
such, this change is related only to the retrieval and enforcement of policy 
settings. This change only affects SSSD's AD provider. It has no effect on any 
other SSSD providers (e.g. IPA provider).The upstream design page that 
includes deeper technical details can be found in the SSSD Trac [1].

== Scope ==
Since this functionality would only be used by SSSD's AD provider, it would be 
included as part of the sssd-ad package. This feature would be enabled by 
default, but a build switch would be provided for those who do not wish to 
deploy this functionality.

* Other developers: N/A (not a System Wide Change) 
* Release engineering: N/A (not a System Wide Change) 
* Policies and guidelines: N/A (not a System Wide Change) 

[1] http://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration 
_______________________________________________
devel-announce mailing list
devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux