We should add a login policy constant to the DBus API to reflect using IPA HBAC as a login policy. This will be the default deployed by realmd used with sssd and ipa.
Created attachment 77049 [details] [review] Support realm login policy
Yassir, is this something you have time review?
Comment on attachment 77049 [details] [review] Support realm login policy Review of attachment 77049 [details] [review]: ----------------------------------------------------------------- ::: service/realm-sssd-ad.c @@ +229,4 @@ > > "id_provider", "ad", > "auth_provider", "ad", > + "access_provider", "ad", Just a word of warning -- The AD access control provider checks if the account is expired. It has the same effect as the following configuration of the LDAP provider: access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad The IPA changes look good to me.
(In reply to comment #3) > > + "access_provider", "ad", > > Just a word of warning -- The AD access control provider checks if the > account is expired. Good. I think that's what would be expected. To follow the login policy of the domain in this case.
Attachment 77049 [details] pushed as cf1602d - Support realm login policy
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.