#181 RFE: define pam_passthru service per subtree
Closed: Fixed None Opened 8 years ago by rmeggins.

https://bugzilla.redhat.com/show_bug.cgi?id=746642

In RHDS 8.2 (and 9.0 AFAIK), only one global PAM service file can be defined
per RHDS instance for use by the pam_passthru plugin.

In the example use case that >1 AD domains are synchronised into RHDS, it would
be nice to be able to define binds against one AD domain/RHDS subtree to use
one PAM service file (to passthru authentication to the relevant AD DC) and
binds to a different AD domain/RHDS subtree to use a different PAM service
file.

At the moment, this can be worked around with pam_regex from
http://puszcza.gnu.org.ua/software/pam-modules/ and the following example
service file, but it's ugly and pam_regex is not part of RHEL so not supported.

=== 8< ===
#%PAM-1.0
auth     [default=2 success=ignore] pam_regex.so regex=^[^@]+@domain1.com$
auth     optional   pam_regex.so transform=s/@domain1.com$//
auth     required   pam_ldap_static.so config=/etc/ldap-domain1.conf
auth     [default=2 success=ignore] pam_regex.so regex=^[^@]+@domain2.com$
auth     optional   pam_regex.so transform=s/@domain2.com$//
auth     required   pam_ldap_static.so config=/etc/ldap-domain2.conf
account  sufficient pam_permit.so
=== 8< ===

batch update moving tickets to future

I believe that this can mostly be accomplished by simply supporting multiple plug-in configuration entries. Different PAM plug-in instances can apply to different suffixes, each using it's own PAM service name.

If we want to allow more flexible configurations, we could also add a filter configuration attribute, which can be used to specify the entries that a particular PAM passthrough instance should apply to. This would allow us one to key off of contents of an entry when determining which configuration to use instead of relying on the DIT structure.

In the postop - you should check if the operation succeeded or failed. This wasn't necessary with the DSE callbacks because if the DSE preop failed, the DSE postop was not called. Something like mep_oktodo().

The above revised patch avoids some unnecessary DN normalization and addressed the post-op concern raised by Rich.

Pushed revised patch to master. Thanks to Rich and Noriko for their reviews!

Counting objects: 23, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (12/12), done.
Writing objects: 100% (12/12), 11.76 KiB, done.
Total 12 (delta 9), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
f5930b8..dbcd448 master -> master

Added initial screened field value.

Metadata Update from @nkinder:
- Issue assigned to nkinder
- Issue set to the milestone: 1.2.11.a1

3 years ago

Login to comment on this ticket.

Metadata