-----Original Message-----
From: sssd-devel-bounces(a)lists.fedorahosted.org [mailto:sssd-devel-
bounces(a)lists.fedorahosted.org] On Behalf Of Stephen Gallagher
Sent: Monday, 19 March 2012 9:57 PM
To: sssd-devel(a)lists.fedorahosted.org
Subject: Re: [SSSD] sssd.conf include feature
On Mon, 2012-03-19 at 09:16 +0100, Jakub Hrozek wrote:
> On Mon, Mar 19, 2012 at 06:24:53PM +1100, Greg.Lehmann(a)csiro.au
wrote:
> > Wondering about whether this feature exists or is planned to
exist? It is
> > for use in a shared administration environment. We have central
> > administration and local administrators. It would allow a
central
> > configuration for sssd with local changes. Puppet could manage
the central
> > main file and include a user managed portion. We handle sudoers
in a
> > similar way. I guess the main use of this might be to allow
local admins
> > to control who can login to a server. sssd.conf could include
something
> > like this:
> >
> >
> >
> > access_provider = simple
> >
> > simple_allow_groups = central_admins
> >
> >
> >
> > and the included locally managed file could have
> >
> >
> >
> > simple_allow_users = user01, user03, user42
> >
> >
> >
> > I know we can do this in other ways with puppet, but this would
be simpler
> > and it seems to me an include feature might have other uses.
> >
> >
>
> Hi, this enhancement is tentatively scheduled for 1.11:
>
https://fedorahosted.org/sssd/ticket/1165
This request is subtly different. I opened a new ticket,
https://fedorahosted.org/sssd/ticket/1264 to track this.
I'm not sure it's that complicated. I was asking for a vanilla include i.e. the
include statement in sssd.conf is replaced with the contents of the file it references. I
think that functionality can be used, as long as statements included have not already been
used in the main file, to achieve my goal of controlling access to a server from 2 places.
It would also cover the domain per file idea in ticket 1165. I definitely don't want
local admins to be able to override the central admins ability to login. Local admins may
not be as experienced as the central ones, so mistakes happen and central admins need
access to fix things.