On Thu, Oct 2, 2008 at 4:46 PM, Mike Gerdts <mgerdts at gmail.com> wrote: > On Thu, Oct 2, 2008 at 3:50 PM, Nicolas Williams > <Nicolas.Williams at sun.com> wrote: >> I like this very much, but I'd like the configuration for this module >> not to have to be specified as a module argument -- that could get >> unwieldy quick. > > Agreed. I'm envisioning a server that runs a J2EE instance (fronted > by a SSO enabled web server) for many apps, and has NAS and database > dependencies. In order to grant login privileges to all the people > that may need to log in, those with any of the following > authorizations would need to be allowed to log in for various reasons. > > com.mycompany.admin.solaris > com.mycompany.admin.backups > com.mycompany.admin.nas > com.mycompany.admin.oracle > com.mycompany.admin.weblogic > com.mycompany.admin.iws > com.mycompany.admin.sso > com.mycompany.admin.app.salesguru > com.mycompany.admin.app.partyplanner > com.mycompany.admin.app.helloworld > > >From the standpoint of being able to safely manage this, I would be > quite a bit happier with the following as an optional way of > configuring it. > > other account required pam_authorized.so.1 authsfile=/etc/MyCompany/loginauths > > pam.conf is one of those files that I really like to not modify a lot > because it makes life really difficult when you get it wrong.
I second not having to touch pam.conf any more than is necessary. I do like the concept of using authorizations for access control. As a potential follow on feature (i.e. sometime in the future), what about being able to store the list of authorizations for the server in NIS or LDAP? Since this makes the most sense where one of the two systems are being used, it would allow one to manage all of this in one place. I've been wanting to implement something that could do something like that (and have floated it around a little bit to determine interest), but with a day job and other projects, have not had the time to do it (yet).
