Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/1965 This came up on sssd-users: The default access_provider [for the AD provider] is "permit" because basically all of the real access providers require configuration to be useful and otherwise default to blocking everyone. Essentially, we elected to behave like FreeIPA with the ALLOW_ALL HBAC rule for initial setup. This should be spelled out in the man page.
Verified the bug on SSSD Version: sssd-1.11.2-13.el7 The man page for sssd-ad has been updated with the following NOTES section: NOTES The AD access control provider checks if the account is expired. It has the same effect as the following configuration of the LDAP provider: access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad However, unless the “ad” access control provider is explicitly configured, the default access provider is “permit”.
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.