tburgin
Add AD check
Add the conditional AD check to make sure that we want the user enabled for FV2 (as Tom pointed out, in order to exclude AA accounts and such). But we could likely make it modular enough to be used in other businesses/institutions where they could customize AD nodes as well as Groups to look for.
Yes, this is a good request. We could setup an admin definable white / black list (Local, OD, AD) that the plugin can look at before enabling that user for FV2.
Short-term I'd only want a check for more-than-4-digit UIDs to be whitelisted/added, as I was concerned network connectivity(with 802.1x throwing a wrench in most things) would get in the way of specific group/AD lookups. On top of that, ideal would be a blacklist of users in a specific AD group, although I can maintain a separate, relatively static list of techs to reap as root via LogoutHook for now, since I only need root and fdesetup.
How about a whitelist / blacklist. If they are on the blacklist we could try and remove them (If there is a sane way to do that...)?
I wasn't fully awake when I made this comment originally, but to pull it out of Slack, we arrived at four modes:
- Enable anyone who logs in
- Enable everyone unless they exist on the blacklist
- Enable those on the whitelist if they don’t also appear on the blacklist
- Enable only those on the whitelist Implementation looks like a standard Pref, and the goal is to operate on both/either UIDs/by range/length(so it's not in the 500 range) or names.