Bug 906379

Summary: ldap_access_order man page improvements
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: low    
Version: 7.0CC: apeetham, grajaiya, jgalipea, pbrezina
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.10.0-10.el7.beta2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:23:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2013-01-31 14:42:44 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1789

The documentation says ldap_access_filter setting is mandatory when using access_provider=ldap. However, you can configure the ldap_access_order so that the filter is never checked. The default value for ldap_access_order is just filter, which means that even if you set ldap_account_expire_policy in configuration file, it is never used unless the ldap_access_order is manually altered.

I think that the default of ldap_access_order should either include all possible values in some order and just ignore the ones that are not configured or that specifying for example ldap_account_expire_policy should add it to checking order automatically. Currently the configuration is not intuitive.

Alternatively the man page should mention this additional step (altering the ldap_access_order) in relevant locations or sssd should at least output a warning about set but unused configuration values.
Comment 1 Jakub Hrozek 2013-10-04 13:23:11 UTC 
Temporarily moving bugs to MODIFIED to work around errata tool bug
Comment 3 Amith 2013-12-11 14:54:53 UTC 
Verified the bug on SSSD Version: sssd-1.11.2-10.el7.x86_64

Man page improvements for ldap_access_order has been verified.
Comment 4 Ludek Smid 2014-06-13 10:23:24 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.