URL:
https://github.com/SSSD/sssd/pull/275
Author: akamensky
Title: #275: Implement access verification by rhost using ldap_access_order rhost option
Action: edited
Changed field: body
Original value:
"""
TL;DR - this is to implement functionality similar to both of `sshd_config:AllowUsers` and
of `PAM's own rhost verification`.
This was asked in IRC and [mailing
list](https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedor...
(with little follow up in both). The reasoning behind implementation can be seen in linked
mailing list thread.
Current PR provides basic functionality of comparing rhost (from pam) with values stored
in LDAP. To enable this set `ldap_access_order = rhost` and `ldap_user_authorized_rhost =
<ldap_field_name| default: rhost>` in sssd.conf.
It _currently*_ provides similar rule evaluation as currently it works for host based
authentication.
TODO:
- [ ] Finalize logic of using DNS/rDNS for rules validation (currently working on basic
idea how it should work - any help here?)
- [ ] Implement use of DNS/rDNS (with optional switch to enable/disable)
- [ ] Documentation
- [ ] Test coverage (didn't see test coverage for host auth, so is it needed?)
\* It is entirely possible that logic might slightly change, but mostly I imagine it
staying the same.
"""