43 lines
1.4 KiB
Diff
43 lines
1.4 KiB
Diff
From a06bf788585f5fc14ba16d132665401a7ce7eb35 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
|
|
Date: Thu, 28 May 2020 12:12:58 +0200
|
|
Subject: [PATCH] AD: Enforcing GPO rule restriction on user
|
|
|
|
This fixes bug related to ad_gpo_implicit_deny option set to True.
|
|
gpo_implict_denay was checked only for dacl_filtered_gpos,
|
|
but not for cse_filtered_gpos.
|
|
|
|
Resolves:
|
|
https://github.com/SSSD/sssd/issues/5181
|
|
|
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
---
|
|
src/providers/ad/ad_gpo.c | 11 ++++++++++-
|
|
1 file changed, 10 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
index 53560a754..2c6aa7fa6 100644
|
|
--- a/src/providers/ad/ad_gpo.c
|
|
+++ b/src/providers/ad/ad_gpo.c
|
|
@@ -2541,7 +2541,16 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
|
|
/* no gpos contain "SecuritySettings" cse_guid, nothing to enforce */
|
|
DEBUG(SSSDBG_TRACE_FUNC,
|
|
"no applicable gpos found after cse_guid filtering\n");
|
|
- ret = EOK;
|
|
+
|
|
+ if (state->gpo_implicit_deny == true) {
|
|
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
+ "No applicable GPOs have been found and ad_gpo_implicit_deny"
|
|
+ " is set to 'true'. The user will be denied access.\n");
|
|
+ ret = ERR_ACCESS_DENIED;
|
|
+ } else {
|
|
+ ret = EOK;
|
|
+ }
|
|
+
|
|
goto done;
|
|
}
|
|
|
|
--
|
|
2.21.3
|
|
|