Bug 62518

Summary: Denying a specific user puts incorrect config in sssd.conf
Product: realmd Reporter: Kaushik <kbanerje>
Component: GeneralAssignee: Stef Walter <stefw>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: stefw, yelley
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Bug Depends on: 60628    
Bug Blocks:    
Attachments: Use a dollar sign as our simple_allow_users placeholder
Clarify realm permit/deny commands
Don't print usage info when invalid options
Use a dollar sign as our simple_allow_users placeholder

Description Kaushik 2013-03-19 11:47:21 UTC 
Denying specific user puts incorrect config of simple_allow_users in sssd.conf

On executing "realm deny SSSDAD\\tuser2", sssd.conf has:
simple_allow_users = ,

Functionally, this configuration denies not just tuser2, but all users are denied.
Comment 1 Stef Walter 2013-04-12 10:50:39 UTC 
Good point. 

realmd doesn't actually manage a deny list for accounts. Will change around the 'realm' command options to make this more clear.
Comment 2 Stef Walter 2013-04-12 11:50:27 UTC 
Created attachment 77866 [details] [review]
Use a dollar sign as our simple_allow_users placeholder

We have to use a placeholder to get sssd to recognize that the
simple_allow_users is to allow no users to login.

Simo recommended using a dollar sign instead of a comma.
Comment 3 Stef Walter 2013-04-12 11:50:33 UTC 
Created attachment 77867 [details] [review]
Clarify realm permit/deny commands

 * Deny is not able to add specific users to a blacklist.
 * Add --withdraw options for removing users from the permitted list
 * Compatibility to fall through with previous behavior
 * Better messages when arguments are invalid
Comment 4 Stef Walter 2013-04-12 11:50:38 UTC 
Created attachment 77868 [details] [review]
Don't print usage info when invalid options

When a realm command prints out a failure about invalid options it
gets lost near the top of the big usage information. This was
frustrating, until now.
Comment 5 Stef Walter 2013-04-12 12:22:18 UTC 
Created attachment 77872 [details] [review]
Use a dollar sign as our simple_allow_users placeholder

Fix a regression in the parsing with this second patch.
Comment 6 Stef Walter 2013-04-12 14:37:58 UTC 
Yassir, this is another patch I would appreciate review of.
Comment 7 Stef Walter 2013-04-17 07:21:41 UTC 
Attachment 77867 [details] pushed as a66334e - Clarify realm permit/deny commands
Attachment 77872 [details] pushed as ef9404f - Use a dollar sign as our simple_allow_users placeholder

These are things that may cause confusion on the test day. Since this is unrelated to the internal service code paths, I've looked these over again, and pushed without further review.
Comment 8 Stef Walter 2013-04-26 14:33:46 UTC 
Attachment 77868 [details] pushed as 8f69db6 - Don't print usage info when invalid options

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.