Denying specific user puts incorrect config of simple_allow_users in sssd.conf On executing "realm deny SSSDAD\\tuser2", sssd.conf has: simple_allow_users = , Functionally, this configuration denies not just tuser2, but all users are denied.
Good point. realmd doesn't actually manage a deny list for accounts. Will change around the 'realm' command options to make this more clear.
Created attachment 77866 [details] [review] Use a dollar sign as our simple_allow_users placeholder We have to use a placeholder to get sssd to recognize that the simple_allow_users is to allow no users to login. Simo recommended using a dollar sign instead of a comma.
Created attachment 77867 [details] [review] Clarify realm permit/deny commands * Deny is not able to add specific users to a blacklist. * Add --withdraw options for removing users from the permitted list * Compatibility to fall through with previous behavior * Better messages when arguments are invalid
Created attachment 77868 [details] [review] Don't print usage info when invalid options When a realm command prints out a failure about invalid options it gets lost near the top of the big usage information. This was frustrating, until now.
Created attachment 77872 [details] [review] Use a dollar sign as our simple_allow_users placeholder Fix a regression in the parsing with this second patch.
Yassir, this is another patch I would appreciate review of.
Attachment 77867 [details] pushed as a66334e - Clarify realm permit/deny commands Attachment 77872 [details] pushed as ef9404f - Use a dollar sign as our simple_allow_users placeholder These are things that may cause confusion on the test day. Since this is unrelated to the internal service code paths, I've looked these over again, and pushed without further review.
Attachment 77868 [details] pushed as 8f69db6 - Don't print usage info when invalid options
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.