Cheers for the feedback.
On 2017-06-28 12:14, Alexander Bokovoy wrote:
We are going to introduce a special type of groups where membership
reading would be limited to some conditions but this would not be
relevant to HBAC, at least from my current understanding of the
situation. This is to support organizational groups, not host-based
access rights.
I guess at worst for this we might need a new set of
role/privilege/permission that would allow viewing of all memberOf
attributes.
On ti, 27 kesä 2017, Jakub Hrozek wrote:
There were requests to implement authentication over the D-bus
interface
in the past and we were quite reluctant to them, but IIRC that was
because PAM handles prompting for the secrets, passing auth tokens and
it's just well battle-tested.
Yeah, that absolutely makes sense.
But I don't see the same issues with an authorization call.
Excellent :)
I would prefer another interface than infopipe (authzpipe?), but in
general, as long as the interface is restricted to authorization and
not
authentication, I don't see an inherent issue.
Would the authzpipe be another interface provided by sssd_ifp, or would
you want another process (say, sssd_azp) to provide it?
I guess then if I were to start working up some patches, I wouldn't be
wasting everyone's time? :)
--
HJ
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
