On Wed, 30 Jul 2014 02:17:59 -0700 Jakub Hrozek <[email protected]> wrote:
> On Wed, Jul 30, 2014 at 11:07:01AM +0200, Daniel Gollub wrote: > > But this would require restart of sssd each time one would add a new > > (e.g.) VPN endpoint - right? > > Right, is that something you would do regularly, though and not a > one-off thing when you set up your infrastructure. In my use-case, using that for a router/vpn appliance this might could happen more often - but not regularly. E.g. adding new region LDAP for a VPN or something like that - or dropping VPN access to a specific VPN concentrate or so. The neat thing would be that one could add an additional e.g. LDAP or AD server for authentication - without the need to worry about temporarily failing authentication of clients while SSSD is restarting. Is the enumeration via LDAP/AD is done on every start-up of SSSD? (Even if this is not recommended on very large LDAP trees - regular enumeration could be prevent and avoid some noise at somer other end) > > > Right now it is quite convinced that one just can change > > the /etc/pam.d/* configuration without requiring to restart/reload > > the PAM-enabled service (e.g. VPN daemon) which authenticates > > against pam_sss. And also not requiring to restart sssd during > > business hours or so. > > > > There is no "reload" configuration functionality in sssd yet - > > right? > > > > Correct, we tried and failed, reloading configuration on the fly is > much harder to implement correctly than it seems. Yeah, I could imagine that is not trivial to do. So ideal I would like to avoid to restart sssd every time someone tries to fine-tune the correct authentication setting for one new VPN endpoint - by potentially disturbing authentication of "live"/"production" used VPN endpoints on the system. _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
