On Thu, Jul 16, 2015 at 10:48:41AM -0400, Dmitri Pal wrote:
On 07/16/2015 10:46 AM, Ondrej Valousek wrote:
>Ok, I could do this, but it involves changing sssd configuration.
>The GPO is much nicer solution - is it now working? It is not clear from the
documentation whether it is still a "wish list" or not...
It is in sssd 1.12.
But it is disabled by default you need to configure it anyways.
It's "permissive" by default in 1.12 and "enforcing" by default in
1.13.
Permissive means similar thing as with SELinux -- the engine runs and
reports results, but the results are not enforced.
Please note that Lukas recently ran SSSD through tests with enforcing
mode and found a couple of bugs, see the 1.13.1 bucket for bugs with GPO
in the title.