#4109 RFE: Support regex matching as pam_krb5 did
Closed: cloned-to-github 5 years ago by pbrezina. Opened 5 years ago by erinn.

Per this: https://docs.pagure.org/SSSD.sssd/users/pam_krb5_migration.html it looks like an attempt was made to integrate all that pam_krb5 offered into sssd. However support for mapping users using regexes was not included: https://docs.pagure.org/SSSD.sssd/users/pam_krb5_migration.html#localauth-k5login instead static mapping of users was included. This unfortunately doesn't scale very well. The details of our particular use case are here: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/L5HBZGOENS5FH6J2XUJX2HUSGCE4CSFL/

The short version is that we need the ability to remap the user dynamically, we have <username> objects and <username>-sudo objects that exist in the AD, we remap sudo auth to go against the <username>-sudo objects using the following in /etc/krb5.conf:
pam = {
debug = false
forwardable = true
renew_lifetime = 24h
ticket_lifetime = 24h
krb4_convert = false
mappings = ^(.*)$ $1/sudo
}

Something like this is no longer supported in SSSD and as such we have had to repackage pam_krb5 into our own repo for RHEL 8.

-Erinn


Metadata Update from @thalman:
- Issue tagged with: Future milestone

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5071

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)

5 years ago

Log in to comment on this ticket.

Metadata