On Fri, Jan 29, 2016 at 02:30:36PM +0100, Pavel Reichl wrote:
Hello, please see trivial patch attached. Thanks.
From 6d5f6b71c2d2f891470dc1c9f08ae67f5b6c02f5 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Fri, 29 Jan 2016 08:27:01 -0500 Subject: [PATCH] PAM: Clarify man page for domains option
Resolves: https://fedorahosted.org/sssd/ticket/2946
src/man/pam_sss.8.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml index 7794d3acfdfdbde491a3e1ada44481b73588e41f..278126c14d0a574a1e120762af264ef653deb0b0 100644 --- a/src/man/pam_sss.8.xml +++ b/src/man/pam_sss.8.xml @@ -145,9 +145,11 @@ SSSD domain names, as specified in the sssd.conf file. </para> <para>
NOTE: Must be used in conjunction with the
<quote>pam_trusted_users</quote> and
<quote>pam_public_domains</quote> options.
NOTE: If PAM service is being run by untrusted user
(<quote>pam_trusted_users</quote> option)
then please make
sure that restricted domains are public
(<quote>pam_public_domains</quote> option). Please see the <citerefentry> <refentrytitle>sssd.conf</refentrytitle>
-- 2.4.3
I'm sorry, but this doesn't read any better to me. Especially I don't understand "restricted domains are public", sounds like an oxymoron to me.
On (09/02/16 08:17), Jakub Hrozek wrote:
On Fri, Jan 29, 2016 at 02:30:36PM +0100, Pavel Reichl wrote:
Hello, please see trivial patch attached. Thanks.
From 6d5f6b71c2d2f891470dc1c9f08ae67f5b6c02f5 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Fri, 29 Jan 2016 08:27:01 -0500 Subject: [PATCH] PAM: Clarify man page for domains option
Resolves: https://fedorahosted.org/sssd/ticket/2946
src/man/pam_sss.8.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml index 7794d3acfdfdbde491a3e1ada44481b73588e41f..278126c14d0a574a1e120762af264ef653deb0b0 100644 --- a/src/man/pam_sss.8.xml +++ b/src/man/pam_sss.8.xml @@ -145,9 +145,11 @@ SSSD domain names, as specified in the sssd.conf file. </para> <para>
NOTE: Must be used in conjunction with the
<quote>pam_trusted_users</quote> and
<quote>pam_public_domains</quote> options.
NOTE: If PAM service is being run by untrusted user
(<quote>pam_trusted_users</quote> option)
then please make
sure that restricted domains are public
(<quote>pam_public_domains</quote> option). Please see the <citerefentry> <refentrytitle>sssd.conf</refentrytitle>
-- 2.4.3
I'm sorry, but this doesn't read any better to me. Especially I don't understand "restricted domains are public", sounds like an oxymoron to me.
Should we ask Aneta for help/review ?
LS
On Tue, Feb 09, 2016 at 08:37:04AM +0100, Lukas Slebodnik wrote:
On (09/02/16 08:17), Jakub Hrozek wrote:
On Fri, Jan 29, 2016 at 02:30:36PM +0100, Pavel Reichl wrote:
Hello, please see trivial patch attached. Thanks.
From 6d5f6b71c2d2f891470dc1c9f08ae67f5b6c02f5 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Fri, 29 Jan 2016 08:27:01 -0500 Subject: [PATCH] PAM: Clarify man page for domains option
Resolves: https://fedorahosted.org/sssd/ticket/2946
src/man/pam_sss.8.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml index 7794d3acfdfdbde491a3e1ada44481b73588e41f..278126c14d0a574a1e120762af264ef653deb0b0 100644 --- a/src/man/pam_sss.8.xml +++ b/src/man/pam_sss.8.xml @@ -145,9 +145,11 @@ SSSD domain names, as specified in the sssd.conf file. </para> <para>
NOTE: Must be used in conjunction with the
<quote>pam_trusted_users</quote> and
<quote>pam_public_domains</quote> options.
NOTE: If PAM service is being run by untrusted user
(<quote>pam_trusted_users</quote> option)
then please make
sure that restricted domains are public
(<quote>pam_public_domains</quote> option). Please see the <citerefentry> <refentrytitle>sssd.conf</refentrytitle>
-- 2.4.3
I'm sorry, but this doesn't read any better to me. Especially I don't understand "restricted domains are public", sounds like an oxymoron to me.
Should we ask Aneta for help/review ?
Maybe, but it was her who asked us to improve this paragraph in the first place :)
On (09/02/16 09:36), Jakub Hrozek wrote:
On Tue, Feb 09, 2016 at 08:37:04AM +0100, Lukas Slebodnik wrote:
On (09/02/16 08:17), Jakub Hrozek wrote:
On Fri, Jan 29, 2016 at 02:30:36PM +0100, Pavel Reichl wrote:
Hello, please see trivial patch attached. Thanks.
From 6d5f6b71c2d2f891470dc1c9f08ae67f5b6c02f5 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Fri, 29 Jan 2016 08:27:01 -0500 Subject: [PATCH] PAM: Clarify man page for domains option
Resolves: https://fedorahosted.org/sssd/ticket/2946
src/man/pam_sss.8.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml index 7794d3acfdfdbde491a3e1ada44481b73588e41f..278126c14d0a574a1e120762af264ef653deb0b0 100644 --- a/src/man/pam_sss.8.xml +++ b/src/man/pam_sss.8.xml @@ -145,9 +145,11 @@ SSSD domain names, as specified in the sssd.conf file. </para> <para>
NOTE: Must be used in conjunction with the
<quote>pam_trusted_users</quote> and
<quote>pam_public_domains</quote> options.
NOTE: If PAM service is being run by untrusted user
(<quote>pam_trusted_users</quote> option)
then please make
sure that restricted domains are public
(<quote>pam_public_domains</quote> option). Please see the <citerefentry> <refentrytitle>sssd.conf</refentrytitle>
-- 2.4.3
I'm sorry, but this doesn't read any better to me. Especially I don't understand "restricted domains are public", sounds like an oxymoron to me.
Should we ask Aneta for help/review ?
Maybe, but it was her who asked us to improve this paragraph in the first place :)
That's exactly the reason why her review might be useful.
LS
On 02/09/2016 08:17 AM, Jakub Hrozek wrote:
On Fri, Jan 29, 2016 at 02:30:36PM +0100, Pavel Reichl wrote:
Hello, please see trivial patch attached. Thanks.
From 6d5f6b71c2d2f891470dc1c9f08ae67f5b6c02f5 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Fri, 29 Jan 2016 08:27:01 -0500 Subject: [PATCH] PAM: Clarify man page for domains option
Resolves: https://fedorahosted.org/sssd/ticket/2946
src/man/pam_sss.8.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml index 7794d3acfdfdbde491a3e1ada44481b73588e41f..278126c14d0a574a1e120762af264ef653deb0b0 100644 --- a/src/man/pam_sss.8.xml +++ b/src/man/pam_sss.8.xml @@ -145,9 +145,11 @@ SSSD domain names, as specified in the sssd.conf file. </para> <para>
NOTE: Must be used in conjunction with the
<quote>pam_trusted_users</quote> and
<quote>pam_public_domains</quote> options.
NOTE: If PAM service is being run by untrusted user
(<quote>pam_trusted_users</quote> option)
then please make
sure that restricted domains are public
(<quote>pam_public_domains</quote> option). Please see the <citerefentry> <refentrytitle>sssd.conf</refentrytitle>
-- 2.4.3
I'm sorry, but this doesn't read any better to me. Especially I don't understand "restricted domains are public", sounds like an oxymoron to me.
Oh, sorry. By "restricted domain" I thought only the domains you are restricting access to - like the only ones you can use. It's used in the context of the first paragraph of domains option.
I'll try to rephrase.
""" If PAM service is being run by untrusted user(<quote>pam_trusted_users</quote> option) then please make sure that domains entered into domains option are actually public (<quote>pam_public_domains</quote> option). Otherwise access will be denied because untrusted user would be trying to access non-public domain. """
Does it sound any better? Would you propose some other wording? Or we can drop the note completely.
Thanks!
On 02/09/2016 03:42 PM, Pavel Reichl wrote:
On 02/09/2016 08:17 AM, Jakub Hrozek wrote:
On Fri, Jan 29, 2016 at 02:30:36PM +0100, Pavel Reichl wrote:
Hello, please see trivial patch attached. Thanks.
From 6d5f6b71c2d2f891470dc1c9f08ae67f5b6c02f5 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Fri, 29 Jan 2016 08:27:01 -0500 Subject: [PATCH] PAM: Clarify man page for domains option
Resolves: https://fedorahosted.org/sssd/ticket/2946
src/man/pam_sss.8.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml index 7794d3acfdfdbde491a3e1ada44481b73588e41f..278126c14d0a574a1e120762af264ef653deb0b0 100644 --- a/src/man/pam_sss.8.xml +++ b/src/man/pam_sss.8.xml @@ -145,9 +145,11 @@ SSSD domain names, as specified in the sssd.conf file. </para> <para>
NOTE: Must be used in conjunction with the
<quote>pam_trusted_users</quote> and
<quote>pam_public_domains</quote> options.
NOTE: If PAM service is being run by
untrusted user
(<quote>pam_trusted_users</quote> option)
then please make
sure that restricted domains are public
(<quote>pam_public_domains</quote> option). Please see the <citerefentry> <refentrytitle>sssd.conf</refentrytitle>
-- 2.4.3
I'm sorry, but this doesn't read any better to me. Especially I don't understand "restricted domains are public", sounds like an oxymoron to me.
Oh, sorry. By "restricted domain" I thought only the domains you are restricting access to - like the only ones you can use. It's used in the context of the first paragraph of domains option.
I'll try to rephrase.
""" If PAM service is being run by untrusted user(<quote>pam_trusted_users</quote> option) then please make sure that domains entered into domains option are actually public (<quote>pam_public_domains</quote> option). Otherwise access will be denied because untrusted user would be trying to access non-public domain. """
Does it sound any better? Would you propose some other wording? Or we can drop the note completely.
Thanks!
I think any description will be confusing without the knowledge of pam_trusted_users and pam_public_domains options. Since the default is that all users are considered to be trusted I don't think we need to mentioned it here. How about:
domains Allows the administrator to restrict the domains a particular PAM service is allowed to authenticate against. The format is a comma- separated list of SSSD domain names, as specified in the sssd.conf file.
See also: pam_public_domains, pam_trusted_users in sssd.conf(5) manual page
On 03/02/2016 01:08 PM, Pavel Březina wrote:
On 02/09/2016 03:42 PM, Pavel Reichl wrote:
On 02/09/2016 08:17 AM, Jakub Hrozek wrote:
On Fri, Jan 29, 2016 at 02:30:36PM +0100, Pavel Reichl wrote:
Hello, please see trivial patch attached. Thanks.
From 6d5f6b71c2d2f891470dc1c9f08ae67f5b6c02f5 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Fri, 29 Jan 2016 08:27:01 -0500 Subject: [PATCH] PAM: Clarify man page for domains option
Resolves: https://fedorahosted.org/sssd/ticket/2946
src/man/pam_sss.8.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml index 7794d3acfdfdbde491a3e1ada44481b73588e41f..278126c14d0a574a1e120762af264ef653deb0b0 100644 --- a/src/man/pam_sss.8.xml +++ b/src/man/pam_sss.8.xml @@ -145,9 +145,11 @@ SSSD domain names, as specified in the sssd.conf file. </para> <para>
NOTE: Must be used in conjunction with the
<quote>pam_trusted_users</quote> and
<quote>pam_public_domains</quote> options.
NOTE: If PAM service is being run by
untrusted user
(<quote>pam_trusted_users</quote> option)
then please make
sure that restricted domains are public
(<quote>pam_public_domains</quote> option). Please see the <citerefentry> <refentrytitle>sssd.conf</refentrytitle>
-- 2.4.3
I'm sorry, but this doesn't read any better to me. Especially I don't understand "restricted domains are public", sounds like an oxymoron to me.
Oh, sorry. By "restricted domain" I thought only the domains you are restricting access to - like the only ones you can use. It's used in the context of the first paragraph of domains option.
I'll try to rephrase.
""" If PAM service is being run by untrusted user(<quote>pam_trusted_users</quote> option) then please make sure that domains entered into domains option are actually public (<quote>pam_public_domains</quote> option). Otherwise access will be denied because untrusted user would be trying to access non-public domain. """
Does it sound any better? Would you propose some other wording? Or we can drop the note completely.
Thanks!
I think any description will be confusing without the knowledge of pam_trusted_users and pam_public_domains options. Since the default is that all users are considered to be trusted I don't think we need to mentioned it here. How about:
domains Allows the administrator to restrict the domains a particular PAM service is allowed to authenticate against. The format is a comma- separated list of SSSD domain names, as specified in the sssd.conf file.
See also: pam_public_domains, pam_trusted_users in sssd.conf(5) manual page
It's fine by me. Shall you prepare a patch or do we want Jakub's or Aneta's approval first?
On 03/04/2016 10:18 AM, Pavel Reichl wrote:
On 03/02/2016 01:08 PM, Pavel Březina wrote:
On 02/09/2016 03:42 PM, Pavel Reichl wrote:
On 02/09/2016 08:17 AM, Jakub Hrozek wrote:
On Fri, Jan 29, 2016 at 02:30:36PM +0100, Pavel Reichl wrote:
Hello, please see trivial patch attached. Thanks.
From 6d5f6b71c2d2f891470dc1c9f08ae67f5b6c02f5 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Fri, 29 Jan 2016 08:27:01 -0500 Subject: [PATCH] PAM: Clarify man page for domains option
Resolves: https://fedorahosted.org/sssd/ticket/2946
src/man/pam_sss.8.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml index 7794d3acfdfdbde491a3e1ada44481b73588e41f..278126c14d0a574a1e120762af264ef653deb0b0
100644 --- a/src/man/pam_sss.8.xml +++ b/src/man/pam_sss.8.xml @@ -145,9 +145,11 @@ SSSD domain names, as specified in the sssd.conf file. </para> <para>
NOTE: Must be used in conjunction with the
<quote>pam_trusted_users</quote> and
<quote>pam_public_domains</quote> options.
NOTE: If PAM service is being run by
untrusted user
(<quote>pam_trusted_users</quote> option)
then please make
sure that restricted domains are public
(<quote>pam_public_domains</quote> option). Please see the <citerefentry> <refentrytitle>sssd.conf</refentrytitle>
-- 2.4.3
I'm sorry, but this doesn't read any better to me. Especially I don't understand "restricted domains are public", sounds like an oxymoron to me.
Oh, sorry. By "restricted domain" I thought only the domains you are restricting access to - like the only ones you can use. It's used in the context of the first paragraph of domains option.
I'll try to rephrase.
""" If PAM service is being run by untrusted user(<quote>pam_trusted_users</quote> option) then please make sure that domains entered into domains option are actually public (<quote>pam_public_domains</quote> option). Otherwise access will be denied because untrusted user would be trying to access non-public domain. """
Does it sound any better? Would you propose some other wording? Or we can drop the note completely.
Thanks!
I think any description will be confusing without the knowledge of pam_trusted_users and pam_public_domains options. Since the default is that all users are considered to be trusted I don't think we need to mentioned it here. How about:
domains Allows the administrator to restrict the domains a particular PAM service is allowed to authenticate against. The format is a comma- separated list of SSSD domain names, as specified in the sssd.conf file.
See also: pam_public_domains, pam_trusted_users in sssd.conf(5) manual page
It's fine by me. Shall you prepare a patch or do we want Jakub's or Aneta's approval first?
Since there is no comment, go ahead and prepare the patch. I'll ack it then if there won't be any stir.
sssd-devel@lists.fedorahosted.org