That is entirely correct. I though the access checks were done in auth, not in account. My mistake!
Sincerely, Zach On Mon, Apr 17, 2017 at 4:46 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Fri, Apr 14, 2017 at 08:10:35PM -0000, zac...@temple.edu wrote: > > Hi list, > > > > This is more of a feature request, and I don't know if this is the right > venue to ask. If not, kindly direct me to the proper place. > > > > The sssd configuration separates identity, authentication, and access > providers. It would be nice to specify that only the access provider be > enforced in a particular PAM stack. Generically, this is the authn vs > authz issue. I would like to be able to use sssd for authz exclusively in > some instances where other authentication is deemed satisfactory. > > > > Use cases: > > ssh with public key + 2nd factor token authentication + sssd access > filtering > > su without password + sssd access filtering > > custom service with external authentication + sssd access filtering > > > > I haven't delved too deeply into the sssd source to see how hard it > would be to implement something like a pam argument authz_only that skips > the auth provider, but it seems like it should be reasonable. > > > > Thoughts? > > Since this option would be set in the PAM service file anyway, does it > make sense to even include pam_sss.so in the PAM stack's auth session? > _______________________________________________ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org >
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
