On Wed, 30 Jul 2014 01:58:00 -0700
Jakub Hrozek <[email protected]> wrote:

> On Tue, Jul 29, 2014 at 04:59:23PM +0200, Daniel Gollub wrote:
> > Hi Jakub,
> > 
> > On Tue, 29 Jul 2014 07:32:58 -0700
> > Jakub Hrozek <[email protected]> wrote:
> > 
> > > On Tue, Jul 29, 2014 at 04:15:16PM +0200, Daniel Gollub wrote:
> > > > Fixes:
> > > > https://fedorahosted.org/sssd/ticket/1021
> > > 
> > > Thanks a lot for the patch!
> > > 
> > > I wonder, though if you read the discussion in the ticket where
> > > Simo and Sumit argued this functionality should be implemented in
> > > sssd.conf rather than the pam module?
> > > 
> > > If you saw the discussion, what prompted you to continue the pam
> > > option way?
> > 
> > What I plan to do is following:
> > 
> > Have a sssd.conf with multiple domains configured of different types
> > and configuration configured - e.g.
> > 
> >  - "emea.example.com", "hq.example.com" both as LDAP domain
> >  - "it.example.com" as Local-domain
> > 
> > With that I want to enable PAM-aware services to use pam_sss to
> > authenticate not against all but against expliclty selected
> > combination. By creating multiple pam configuration/service for
> > multiple e.g. VPN endpoints on the same host. Counting on that
> > example:
> > 
> > VPN service #1 is configured to use PAM configuration/service:
> > /etc/pam.d/vpn-sales-dep.conf
> > 
> > Which consists of:
> > {auth,account} ... pam_sss.so
> > domains=emea.example.com,hq.example.com
> > 
> > VPN service #2 is ocnfigued to use PAM configuration/service:
> > /etc/pam.d/vpn-it.conf
> > 
> > Which consists of:
> > {auth,account} ... pam_sss.so domains=it.example.com
> > 
> > And a completely different service / e.g. Webserver which should
> > grant access for all SSSD domains:
> > /etc/pam.d/random-intranet.conf
> > 
> > Which consists of:
> > {auth,account} ... pam_sss.so
> > 
> > 
> > 
> > And so on ... everything on the same machine.
> > 
> > This VPN service (e.g. OpenVPN) requires no modification to support
> > this. For each of those PAM configuration another OpenVPN daemon
> > gets started with a different PAM plugin configuration (and
> > different routing options and such).
> > 
> > 
> > I am not quite sure how this could be done by moving the domains=
> > configuration inside sssd.conf, without modifying the existing
> > PAM-aware services - like OpenSSH, OpenVPN, ...
> 
> My understanding was that the domain section would grow a new
> parameter, something like allowed_pam_services. Then in your case you
> would have:
> 
> [domain/emea.example.com]
> allowed_pam_services = vpn-sales-dep
> 
> [domain/hq.example.com]
> allowed_pam_services = vpn-sales-dep
> 
> [domain/it.example.com]
> allowed_pam_services = vpn-it
> 
> I see the point that your configuration is more flexible, though.
> 
> However, we had some discussion around this effort internally with Jan
> and Simo couple of weeks ago. I added them to the CC list so they can
> check of your approach would work for them..

But this would require restart of sssd each time one would add a new
(e.g.) VPN endpoint - right?
Right now it is quite convinced that one just can change
the /etc/pam.d/* configuration without requiring to restart/reload the
PAM-enabled service (e.g. VPN daemon) which authenticates against
pam_sss. And also not requiring to restart sssd during business hours
or so.

There is no "reload" configuration functionality in sssd yet - right?

_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to