https://bugzilla.redhat.com/show_bug.cgi?id=746642
In RHDS 8.2 (and 9.0 AFAIK), only one global PAM service file can be defined per RHDS instance for use by the pam_passthru plugin. In the example use case that >1 AD domains are synchronised into RHDS, it would be nice to be able to define binds against one AD domain/RHDS subtree to use one PAM service file (to passthru authentication to the relevant AD DC) and binds to a different AD domain/RHDS subtree to use a different PAM service file. At the moment, this can be worked around with pam_regex from http://puszcza.gnu.org.ua/software/pam-modules/ and the following example service file, but it's ugly and pam_regex is not part of RHEL so not supported. === 8< === #%PAM-1.0 auth [default=2 success=ignore] pam_regex.so regex=^[^@]+@domain1.com$ auth optional pam_regex.so transform=s/@domain1.com$// auth required pam_ldap_static.so config=/etc/ldap-domain1.conf auth [default=2 success=ignore] pam_regex.so regex=^[^@]+@domain2.com$ auth optional pam_regex.so transform=s/@domain2.com$// auth required pam_ldap_static.so config=/etc/ldap-domain2.conf account sufficient pam_permit.so === 8< ===
batch update moving tickets to future
I believe that this can mostly be accomplished by simply supporting multiple plug-in configuration entries. Different PAM plug-in instances can apply to different suffixes, each using it's own PAM service name.
If we want to allow more flexible configurations, we could also add a filter configuration attribute, which can be used to specify the entries that a particular PAM passthrough instance should apply to. This would allow us one to key off of contents of an entry when determining which configuration to use instead of relying on the DIT structure.
In the postop - you should check if the operation succeeded or failed. This wasn't necessary with the DSE callbacks because if the DSE preop failed, the DSE postop was not called. Something like mep_oktodo().
Revised patch 0001-ticket-181-Allow-PAM-passthru-plug-in-to-have-multip.patch
The above revised patch avoids some unnecessary DN normalization and addressed the post-op concern raised by Rich.
Pushed revised patch to master. Thanks to Rich and Noriko for their reviews!
Counting objects: 23, done. Delta compression using up to 2 threads. Compressing objects: 100% (12/12), done. Writing objects: 100% (12/12), 11.76 KiB, done. Total 12 (delta 9), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git f5930b8..dbcd448 master -> master
Added initial screened field value.
Metadata Update from @nkinder: - Issue assigned to nkinder - Issue set to the milestone: 1.2.11.a1
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/181
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.