= Proposed Self Contained Change: SSSD GPO-Based Access Control =
https://fedoraproject.org/wiki/Changes/SssdGpoBasedAccessControl
Change owner(s): Yassir Elley <yelley(a)redhat.com>
This change will enhance SSSD, by adding support for centrally managed host-
based access control in an Active Directory (AD) environment, using Group
Policy Objects (GPOs).
== Detailed Description ==
GPO policy settings are commonly used to manage host-based access control in
an AD environment. The two specific GPO policy settings ("Allow Log On
Locally" and "Deny Log On Locally") essentially serve as a whitelist and
blacklist of domain users/groups that are consulted to determine whether logon
access to a particular domain computer should be granted. When dealing with
GPOs, there is typically a management piece (used to specify the policy
settings) and a client-side processing piece (used to retrieve and enforce the
policy settings). Since the two policy settings of interest already exist in
AD, administrators can continue to use existing mechanisms to specify the
whitelist and blacklist (e.g. Group Policy Management Console, or GPMC). As
such, this change is related only to the retrieval and enforcement of policy
settings. This change only affects SSSD's AD provider. It has no effect on any
other SSSD providers (e.g. IPA provider).The upstream design page that
includes deeper technical details can be found in the SSSD Trac [1].
== Scope ==
Since this functionality would only be used by SSSD's AD provider, it would be
included as part of the sssd-ad package. This feature would be enabled by
default, but a build switch would be provided for those who do not wish to
deploy this functionality.
* Other developers: N/A (not a System Wide Change)
* Release engineering: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)
[1]
http://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration