Cheers for the feedback.
On 2017-06-28 12:14, Alexander Bokovoy wrote:
We are going to introduce a special type of groups where membership
reading would be limited to some conditions but this would not be
relevant to HBAC, at least from my current understanding of the
situation. This is to support organizational groups, not host-based
access rights.
I guess at worst for this we might need a new set of
role/privilege/permission that would allow viewing of all memberOf
attributes.
On ti, 27 kesä 2017, Jakub Hrozek wrote:
> There were requests to implement authentication over the D-bus
> interface
> in the past and we were quite reluctant to them, but IIRC that was
> because PAM handles prompting for the secrets, passing auth tokens and
> it's just well battle-tested.
Yeah, that absolutely makes sense.
> But I don't see the same issues with an authorization call.
Excellent :)
> I would prefer another interface than infopipe (authzpipe?), but
in
> general, as long as the interface is restricted to authorization and
> not
> authentication, I don't see an inherent issue.
Would the authzpipe be another interface provided by sssd_ifp, or would
you want another process (say, sssd_azp) to provide it?
I guess then if I were to start working up some patches, I wouldn't be
wasting everyone's time? :)
--
HJ