URL:
https://github.com/SSSD/sssd/pull/309
Title: #309: HBAC: Do not rely on originalMemberOf, use the sysdb memberof links instead
(sssd-1-13 backprot)
jhrozek commented:
"""
So the way I tested the patch was to create an external IPA group, add an AD group into
it, then add the external IPA group into an IPA POSIX group and reference the IPA POSIX
group in an HBAC rule.
Then disable allow_all. Make sure that the members of that group are allowed to log in,
but nobody else can.
btw the group must make scope different than domain-local (so, domain admins or domain
users are not good candicate). Either universal or global would do.
For added testing, you can also do the same test with IPA group and IPA user and then
directly with usernames instead of group names.
I don't think it's needed to test other HBAC components like services, because the
patch only touches the function that deals with user and group names.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/309#issuecomment-318037063