We have a freeipa server and some clients. One of the clients runs a (minimal) Docker container with some custom application. The application does user authorization and authentication using PAM. Is there a good way to make PAM delegate all decisions to the host running the Docker conainer? We'd like to avoid configuring the container as a separate freeipa client.
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
On Thu, Jul 09, 2020 at 04:56:21PM +0100, Dominik Vogt via FreeIPA-users wrote:
We have a freeipa server and some clients. One of the clients runs a (minimal) Docker container with some custom application. The application does user authorization and authentication using PAM. Is there a good way to make PAM delegate all decisions to the host running the Docker conainer? We'd like to avoid configuring the container as a separate freeipa client.
Hi,
it should be sufficient to make the sockets from /var/lib/sss/pipes/ available in the container at the same place, then pam_sss and libnss_sss should be able to talk to SSSD on the host. You might have to call authcon/authselect or similar to tune the PAM and nss configuration so that SSSD is used.
HTH
bye, Sumit
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Fri, Jul 10, 2020 at 05:29:16PM +0200, Sumit Bose via FreeIPA-users wrote:
On Thu, Jul 09, 2020 at 04:56:21PM +0100, Dominik Vogt via FreeIPA-users wrote:
We have a freeipa server and some clients. One of the clients runs a (minimal) Docker container with some custom application. The application does user authorization and authentication using PAM. Is there a good way to make PAM delegate all decisions to the host running the Docker conainer? We'd like to avoid configuring the container as a separate freeipa client.
it should be sufficient to make the sockets from /var/lib/sss/pipes/ available in the container at the same place, then pam_sss and libnss_sss should be able to talk to SSSD on the host. You might have to call authcon/authselect or similar to tune the PAM and nss configuration so that SSSD is used.
Okay, thanks a lot.
Is there anything else that needs to be done to make getpwnam(), getpwuid() and getgrouplists() use SSS from inside the container? (Sorry if that question is stupid, but I don't have access to the container now to try it.)
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
On Mon, Jul 13, 2020 at 12:35:28PM +0100, Dominik Vogt via FreeIPA-users wrote:
On Fri, Jul 10, 2020 at 05:29:16PM +0200, Sumit Bose via FreeIPA-users wrote:
On Thu, Jul 09, 2020 at 04:56:21PM +0100, Dominik Vogt via FreeIPA-users wrote:
We have a freeipa server and some clients. One of the clients runs a (minimal) Docker container with some custom application. The application does user authorization and authentication using PAM. Is there a good way to make PAM delegate all decisions to the host running the Docker conainer? We'd like to avoid configuring the container as a separate freeipa client.
it should be sufficient to make the sockets from /var/lib/sss/pipes/ available in the container at the same place, then pam_sss and libnss_sss should be able to talk to SSSD on the host. You might have to call authcon/authselect or similar to tune the PAM and nss configuration so that SSSD is used.
Okay, thanks a lot.
Is there anything else that needs to be done to make getpwnam(), getpwuid() and getgrouplists() use SSS from inside the container? (Sorry if that question is stupid, but I don't have access to the container now to try it.)
Hi,
no, as said calling authconfig/authselect in the container (or when creating the container image) with the option to enabled SSSD should be sufficient. Otherwise you have to modify /etc/nsswitch.conf and the PAM configuration manually.
HTH
bye, Sumit
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Dominik Vogt -
Sumit Bose