Hi Jakub, On Tue, 29 Jul 2014 07:32:58 -0700 Jakub Hrozek <[email protected]> wrote:
> On Tue, Jul 29, 2014 at 04:15:16PM +0200, Daniel Gollub wrote: > > Fixes: > > https://fedorahosted.org/sssd/ticket/1021 > > Thanks a lot for the patch! > > I wonder, though if you read the discussion in the ticket where Simo > and Sumit argued this functionality should be implemented in sssd.conf > rather than the pam module? > > If you saw the discussion, what prompted you to continue the pam > option way? What I plan to do is following: Have a sssd.conf with multiple domains configured of different types and configuration configured - e.g. - "emea.example.com", "hq.example.com" both as LDAP domain - "it.example.com" as Local-domain With that I want to enable PAM-aware services to use pam_sss to authenticate not against all but against expliclty selected combination. By creating multiple pam configuration/service for multiple e.g. VPN endpoints on the same host. Counting on that example: VPN service #1 is configured to use PAM configuration/service: /etc/pam.d/vpn-sales-dep.conf Which consists of: {auth,account} ... pam_sss.so domains=emea.example.com,hq.example.com VPN service #2 is ocnfigued to use PAM configuration/service: /etc/pam.d/vpn-it.conf Which consists of: {auth,account} ... pam_sss.so domains=it.example.com And a completely different service / e.g. Webserver which should grant access for all SSSD domains: /etc/pam.d/random-intranet.conf Which consists of: {auth,account} ... pam_sss.so And so on ... everything on the same machine. This VPN service (e.g. OpenVPN) requires no modification to support this. For each of those PAM configuration another OpenVPN daemon gets started with a different PAM plugin configuration (and different routing options and such). I am not quite sure how this could be done by moving the domains= configuration inside sssd.conf, without modifying the existing PAM-aware services - like OpenSSH, OpenVPN, ... I guess this should solve what Mark commented in the ticket to do by running two SSH daemons with different authentication domains as well. I also agree what he is saying, that users will first look for pam options ... this was the first think I did as well. Thanks! Daniel _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
