On 03/04/2016 10:18 AM, Pavel Reichl wrote:
On 03/02/2016 01:08 PM, Pavel Březina wrote:
On 02/09/2016 03:42 PM, Pavel Reichl wrote:
On 02/09/2016 08:17 AM, Jakub Hrozek wrote:
On Fri, Jan 29, 2016 at 02:30:36PM +0100, Pavel Reichl wrote:
Hello, please see trivial patch attached. Thanks.
From 6d5f6b71c2d2f891470dc1c9f08ae67f5b6c02f5 Mon Sep 17 00:00:00
2001
From: Pavel Reichl <[email protected]>
Date: Fri, 29 Jan 2016 08:27:01 -0500
Subject: [PATCH] PAM: Clarify man page for domains option
Resolves:
https://fedorahosted.org/sssd/ticket/2946
---
src/man/pam_sss.8.xml | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
index
7794d3acfdfdbde491a3e1ada44481b73588e41f..278126c14d0a574a1e120762af264ef653deb0b0
100644
--- a/src/man/pam_sss.8.xml
+++ b/src/man/pam_sss.8.xml
@@ -145,9 +145,11 @@
SSSD domain names, as specified in the
sssd.conf file.
</para>
<para>
- NOTE: Must be used in conjunction with the
- <quote>pam_trusted_users</quote> and
- <quote>pam_public_domains</quote> options.
+ NOTE: If PAM service is being run by
untrusted user
+ (<quote>pam_trusted_users</quote> option)
+ then please make
+ sure that restricted domains are public
+ (<quote>pam_public_domains</quote> option).
Please see the
<citerefentry>
<refentrytitle>sssd.conf</refentrytitle>
--
2.4.3
I'm sorry, but this doesn't read any better to me. Especially I don't
understand "restricted domains are public", sounds like an oxymoron to
me.
Oh, sorry. By "restricted domain" I thought only the domains you are
restricting access to - like the only ones you can use. It's used in the
context of the first paragraph of domains option.
I'll try to rephrase.
"""
If PAM service is being run by untrusted
user(<quote>pam_trusted_users</quote> option) then please make sure that
domains entered into domains option are actually public
(<quote>pam_public_domains</quote> option). Otherwise access will be
denied because untrusted user would be trying to access non-public
domain.
"""
Does it sound any better? Would you propose some other wording? Or we
can drop the note completely.
Thanks!
I think any description will be confusing without the knowledge of
pam_trusted_users and pam_public_domains options. Since the default is
that all users are considered to be trusted I don't think we need to
mentioned it here. How about:
domains
Allows the administrator to restrict the domains a particular PAM
service is allowed to authenticate against. The format is a comma-
separated list of SSSD domain names, as specified in the sssd.conf
file.
See also: pam_public_domains, pam_trusted_users in sssd.conf(5)
manual page
It's fine by me. Shall you prepare a patch or do we want Jakub's or
Aneta's approval first?
Since there is no comment, go ahead and prepare the patch. I'll ack it
then if there won't be any stir.
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]
