Mike Gerdts wrote: > Agreed. I'm envisioning a server that runs a J2EE instance (fronted > by a SSO enabled web server) for many apps, and has NAS and database > dependencies. In order to grant login privileges to all the people > that may need to log in, those with any of the following > authorizations would need to be allowed to log in for various reasons. > > com.mycompany.admin.solaris > com.mycompany.admin.backups > com.mycompany.admin.nas > com.mycompany.admin.oracle > com.mycompany.admin.weblogic > com.mycompany.admin.iws > com.mycompany.admin.sso > com.mycompany.admin.app.salesguru > com.mycompany.admin.app.partyplanner > com.mycompany.admin.app.helloworld > >>From the standpoint of being able to safely manage this, I would be > quite a bit happier with the following as an optional way of > configuring it. > > other account required pam_authorized.so.1 authsfile=/etc/MyCompany/loginauths > > pam.conf is one of those files that I really like to not modify a lot > because it makes life really difficult when you get it wrong.
I considered that, but hadn't discussed it with Bart. At one point during the development of our proposal we had the ability to specify a profile to capture the case of multiple authorisations eg: pam_authorized.so.1 profile="MyCompany J2EE Logins" We dropped that yesterday just before I sent out the proposal because we thought it might be hard to understand what it mean't. For example does it mean any authorization listed in that profile or all of them ? In your example it would mean any authorization. -- Darren J Moffat
