On Wed, 2014-07-30 at 10:58 +0200, Jakub Hrozek wrote: > On Tue, Jul 29, 2014 at 04:59:23PM +0200, Daniel Gollub wrote: > > Hi Jakub, > > > > On Tue, 29 Jul 2014 07:32:58 -0700 > > Jakub Hrozek <[email protected]> wrote: > > > > > On Tue, Jul 29, 2014 at 04:15:16PM +0200, Daniel Gollub wrote: > > > > Fixes: > > > > https://fedorahosted.org/sssd/ticket/1021 > > > > > > Thanks a lot for the patch! > > > > > > I wonder, though if you read the discussion in the ticket where Simo > > > and Sumit argued this functionality should be implemented in sssd.conf > > > rather than the pam module? > > > > > > If you saw the discussion, what prompted you to continue the pam > > > option way? > > > > What I plan to do is following: > > > > Have a sssd.conf with multiple domains configured of different types > > and configuration configured - e.g. > > > > - "emea.example.com", "hq.example.com" both as LDAP domain > > - "it.example.com" as Local-domain > > > > With that I want to enable PAM-aware services to use pam_sss to > > authenticate not against all but against expliclty selected combination. > > By creating multiple pam configuration/service for multiple e.g. VPN > > endpoints on the same host. Counting on that example: > > > > VPN service #1 is configured to use PAM configuration/service: > > /etc/pam.d/vpn-sales-dep.conf > > > > Which consists of: > > {auth,account} ... pam_sss.so domains=emea.example.com,hq.example.com > > > > VPN service #2 is ocnfigued to use PAM configuration/service: > > /etc/pam.d/vpn-it.conf > > > > Which consists of: > > {auth,account} ... pam_sss.so domains=it.example.com > > > > And a completely different service / e.g. Webserver which should grant > > access for all SSSD domains: > > /etc/pam.d/random-intranet.conf > > > > Which consists of: > > {auth,account} ... pam_sss.so > > > > > > > > And so on ... everything on the same machine. > > > > This VPN service (e.g. OpenVPN) requires no modification to support > > this. For each of those PAM configuration another OpenVPN daemon gets > > started with a different PAM plugin configuration (and different > > routing options and such). > > > > > > I am not quite sure how this could be done by moving the domains= > > configuration inside sssd.conf, without modifying the existing PAM-aware > > services - like OpenSSH, OpenVPN, ... > > My understanding was that the domain section would grow a new parameter, > something like allowed_pam_services. Then in your case you would have: > > [domain/emea.example.com] > allowed_pam_services = vpn-sales-dep > > [domain/hq.example.com] > allowed_pam_services = vpn-sales-dep > > [domain/it.example.com] > allowed_pam_services = vpn-it > > I see the point that your configuration is more flexible, though. > > However, we had some discussion around this effort internally with Jan > and Simo couple of weeks ago. I added them to the CC list so they can > check of your approach would work for them..
How do you trust what is claimed by a client ? Is this list a filter or is it meant as an access control to avoid divulging other domains information to specific processes ? Simo. _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
