On 01/30/2014 05:35 AM, Denis Kutin wrote:
Dear friends,
Using sssd, for a long time, I have come across with a problem recently, which I would like to solve with your help.
I provide centralized authentication and authorization service for a huge heterogeneous network. And in my case it would be "nice and easy" if sssd used only shells(5). I believe this mechanism is sufficient for identification of an allowed shell.
I take a liberty to offer you this tiny patch, which will let use wildcard (*) in param allowed_shells in sssd.conf
What do you think about it?
-- Denis Kutin
Thanks for the patch. But let us start from the beginning. I see the problem that you want to solve so please file ticket so that we can track it for future.
I am not an expert in the code but:
- The check is inside the loop, it probably should be outside the loop
(not sure) 2) Debug message should be different because we want to differentiate from allowed but does not exist. 3) We are saying that we are using user shall but actually returning shall_fallback, is that right?
-- be Thank you, Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
created: https://fedorahosted.org/sssd/ticket/2219
1) Well, I also was confused. But it seems not necessary, because in loop we check all shells in allowed_shell and if one (i assume it's the only one) will be '*' - we got what we need.
2) But.. we already have it DEBUG(5, ("The shell '%s' is allowed but does not exist. " "Using fallback\n", user_shell));
3) Not exactly, we're using shell_fallback and saying it