From a06bf788585f5fc14ba16d132665401a7ce7eb35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
Date: Thu, 28 May 2020 12:12:58 +0200
Subject: [PATCH] AD: Enforcing GPO rule restriction on user
This fixes bug related to ad_gpo_implicit_deny option set to True.
gpo_implict_denay was checked only for dacl_filtered_gpos,
but not for cse_filtered_gpos.
Resolves:
https://github.com/SSSD/sssd/issues/5181
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/providers/ad/ad_gpo.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 53560a754..2c6aa7fa6 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -2541,7 +2541,16 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
/* no gpos contain "SecuritySettings" cse_guid, nothing to enforce */
DEBUG(SSSDBG_TRACE_FUNC,
"no applicable gpos found after cse_guid filtering\n");
- ret = EOK;
+
+ if (state->gpo_implicit_deny == true) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "No applicable GPOs have been found and ad_gpo_implicit_deny"
+ " is set to 'true'. The user will be denied access.\n");
+ ret = ERR_ACCESS_DENIED;
+ } else {
+ ret = EOK;
+ }
+
goto done;
}
--
2.21.3