On Sat, 2 Aug 2014 12:15:01 -0700
Jan Pazdziora <[email protected]> wrote:

> On Tue, Jul 29, 2014 at 04:59:23PM +0200, Daniel Gollub wrote:
> > 
> > VPN service #1 is configured to use PAM configuration/service:
> > /etc/pam.d/vpn-sales-dep.conf
> > 
> > Which consists of:
> > {auth,account} ... pam_sss.so
> > domains=emea.example.com,hq.example.com
> > 
> > VPN service #2 is ocnfigued to use PAM configuration/service:
> > /etc/pam.d/vpn-it.conf
> > 
> > Which consists of:
> > {auth,account} ... pam_sss.so domains=it.example.com
> 
> When the client using the PAM services vpn-sales-dep will want to
> authenticate the user, will it be expected to call pam_start
> with "login" or "[email protected]"?
> 

This proposed patch is not changing the existing sssd/pam_sss behavior
if a domain in login is required or not. If the sssd
option "use_fully_qualified_names" is false (default) then both will
work. If set to true, the domain needs to be specified.

If the PAM service is using domains=emea.example,hq.example.com and
someone tries to sneak in by authenticating with:
[email protected] ... this will not work. The sssd pam responder
code - with this patch applied - is intended to completely skip any
other domain which is not set by the domains= argument.
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to