On Tue, Jul 29, 2014 at 04:59:23PM +0200, Daniel Gollub wrote: > Hi Jakub, > > On Tue, 29 Jul 2014 07:32:58 -0700 > Jakub Hrozek <[email protected]> wrote: > > > On Tue, Jul 29, 2014 at 04:15:16PM +0200, Daniel Gollub wrote: > > > Fixes: > > > https://fedorahosted.org/sssd/ticket/1021 > > > > Thanks a lot for the patch! > > > > I wonder, though if you read the discussion in the ticket where Simo > > and Sumit argued this functionality should be implemented in sssd.conf > > rather than the pam module? > > > > If you saw the discussion, what prompted you to continue the pam > > option way? > > What I plan to do is following: > > Have a sssd.conf with multiple domains configured of different types > and configuration configured - e.g. > > - "emea.example.com", "hq.example.com" both as LDAP domain > - "it.example.com" as Local-domain > > With that I want to enable PAM-aware services to use pam_sss to > authenticate not against all but against expliclty selected combination. > By creating multiple pam configuration/service for multiple e.g. VPN > endpoints on the same host. Counting on that example: > > VPN service #1 is configured to use PAM configuration/service: > /etc/pam.d/vpn-sales-dep.conf > > Which consists of: > {auth,account} ... pam_sss.so domains=emea.example.com,hq.example.com > > VPN service #2 is ocnfigued to use PAM configuration/service: > /etc/pam.d/vpn-it.conf > > Which consists of: > {auth,account} ... pam_sss.so domains=it.example.com > > And a completely different service / e.g. Webserver which should grant > access for all SSSD domains: > /etc/pam.d/random-intranet.conf > > Which consists of: > {auth,account} ... pam_sss.so > > > > And so on ... everything on the same machine. > > This VPN service (e.g. OpenVPN) requires no modification to support > this. For each of those PAM configuration another OpenVPN daemon gets > started with a different PAM plugin configuration (and different > routing options and such). > > > I am not quite sure how this could be done by moving the domains= > configuration inside sssd.conf, without modifying the existing PAM-aware > services - like OpenSSH, OpenVPN, ...
My understanding was that the domain section would grow a new parameter, something like allowed_pam_services. Then in your case you would have: [domain/emea.example.com] allowed_pam_services = vpn-sales-dep [domain/hq.example.com] allowed_pam_services = vpn-sales-dep [domain/it.example.com] allowed_pam_services = vpn-it I see the point that your configuration is more flexible, though. However, we had some discussion around this effort internally with Jan and Simo couple of weeks ago. I added them to the CC list so they can check of your approach would work for them.. _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
