On Wed, 30 Jul 2014 01:58:00 -0700 Jakub Hrozek <[email protected]> wrote:
> On Tue, Jul 29, 2014 at 04:59:23PM +0200, Daniel Gollub wrote: > > Hi Jakub, > > > > On Tue, 29 Jul 2014 07:32:58 -0700 > > Jakub Hrozek <[email protected]> wrote: > > > > > On Tue, Jul 29, 2014 at 04:15:16PM +0200, Daniel Gollub wrote: > > > > Fixes: > > > > https://fedorahosted.org/sssd/ticket/1021 > > > > > > Thanks a lot for the patch! > > > > > > I wonder, though if you read the discussion in the ticket where > > > Simo and Sumit argued this functionality should be implemented in > > > sssd.conf rather than the pam module? > > > > > > If you saw the discussion, what prompted you to continue the pam > > > option way? > > > > What I plan to do is following: > > > > Have a sssd.conf with multiple domains configured of different types > > and configuration configured - e.g. > > > > - "emea.example.com", "hq.example.com" both as LDAP domain > > - "it.example.com" as Local-domain > > > > With that I want to enable PAM-aware services to use pam_sss to > > authenticate not against all but against expliclty selected > > combination. By creating multiple pam configuration/service for > > multiple e.g. VPN endpoints on the same host. Counting on that > > example: > > > > VPN service #1 is configured to use PAM configuration/service: > > /etc/pam.d/vpn-sales-dep.conf > > > > Which consists of: > > {auth,account} ... pam_sss.so > > domains=emea.example.com,hq.example.com > > > > VPN service #2 is ocnfigued to use PAM configuration/service: > > /etc/pam.d/vpn-it.conf > > > > Which consists of: > > {auth,account} ... pam_sss.so domains=it.example.com > > > > And a completely different service / e.g. Webserver which should > > grant access for all SSSD domains: > > /etc/pam.d/random-intranet.conf > > > > Which consists of: > > {auth,account} ... pam_sss.so > > > > > > > > And so on ... everything on the same machine. > > > > This VPN service (e.g. OpenVPN) requires no modification to support > > this. For each of those PAM configuration another OpenVPN daemon > > gets started with a different PAM plugin configuration (and > > different routing options and such). > > > > > > I am not quite sure how this could be done by moving the domains= > > configuration inside sssd.conf, without modifying the existing > > PAM-aware services - like OpenSSH, OpenVPN, ... > > My understanding was that the domain section would grow a new > parameter, something like allowed_pam_services. Then in your case you > would have: > > [domain/emea.example.com] > allowed_pam_services = vpn-sales-dep > > [domain/hq.example.com] > allowed_pam_services = vpn-sales-dep > > [domain/it.example.com] > allowed_pam_services = vpn-it > > I see the point that your configuration is more flexible, though. > > However, we had some discussion around this effort internally with Jan > and Simo couple of weeks ago. I added them to the CC list so they can > check of your approach would work for them.. But this would require restart of sssd each time one would add a new (e.g.) VPN endpoint - right? Right now it is quite convinced that one just can change the /etc/pam.d/* configuration without requiring to restart/reload the PAM-enabled service (e.g. VPN daemon) which authenticates against pam_sss. And also not requiring to restart sssd during business hours or so. There is no "reload" configuration functionality in sssd yet - right? _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
