Wondering about whether this feature exists or is planned to exist? It is for use in a shared administration environment. We have central administration and local administrators. It would allow a central configuration for sssd with local changes. Puppet could manage the central main file and include a user managed portion. We handle sudoers in a similar way. I guess the main use of this might be to allow local admins to control who can login to a server. sssd.conf could include something like this:
access_provider = simple simple_allow_groups = central_admins
and the included locally managed file could have
simple_allow_users = user01, user03, user42
I know we can do this in other ways with puppet, but this would be simpler and it seems to me an include feature might have other uses.
On Mon, Mar 19, 2012 at 06:24:53PM +1100, Greg.Lehmann@csiro.au wrote:
Wondering about whether this feature exists or is planned to exist? It is for use in a shared administration environment. We have central administration and local administrators. It would allow a central configuration for sssd with local changes. Puppet could manage the central main file and include a user managed portion. We handle sudoers in a similar way. I guess the main use of this might be to allow local admins to control who can login to a server. sssd.conf could include something like this:
access_provider = simple
simple_allow_groups = central_admins
and the included locally managed file could have
simple_allow_users = user01, user03, user42
I know we can do this in other ways with puppet, but this would be simpler and it seems to me an include feature might have other uses.
Hi, this enhancement is tentatively scheduled for 1.11: https://fedorahosted.org/sssd/ticket/1165
On Mon, 2012-03-19 at 09:16 +0100, Jakub Hrozek wrote:
On Mon, Mar 19, 2012 at 06:24:53PM +1100, Greg.Lehmann@csiro.au wrote:
Wondering about whether this feature exists or is planned to exist? It is for use in a shared administration environment. We have central administration and local administrators. It would allow a central configuration for sssd with local changes. Puppet could manage the central main file and include a user managed portion. We handle sudoers in a similar way. I guess the main use of this might be to allow local admins to control who can login to a server. sssd.conf could include something like this:
access_provider = simple
simple_allow_groups = central_admins
and the included locally managed file could have
simple_allow_users = user01, user03, user42
I know we can do this in other ways with puppet, but this would be simpler and it seems to me an include feature might have other uses.
Hi, this enhancement is tentatively scheduled for 1.11: https://fedorahosted.org/sssd/ticket/1165
This request is subtly different. I opened a new ticket, https://fedorahosted.org/sssd/ticket/1264 to track this.
-----Original Message----- From: sssd-devel-bounces@lists.fedorahosted.org [mailto:sssd-devel- bounces@lists.fedorahosted.org] On Behalf Of Stephen Gallagher Sent: Monday, 19 March 2012 9:57 PM To: sssd-devel@lists.fedorahosted.org Subject: Re: [SSSD] sssd.conf include feature
On Mon, 2012-03-19 at 09:16 +0100, Jakub Hrozek wrote:
On Mon, Mar 19, 2012 at 06:24:53PM +1100, Greg.Lehmann@csiro.au
wrote:
Wondering about whether this feature exists or is planned to
exist? It is
for use in a shared administration environment. We have central administration and local administrators. It would allow a
central
configuration for sssd with local changes. Puppet could manage
the central
main file and include a user managed portion. We handle sudoers
in a
similar way. I guess the main use of this might be to allow
local admins
to control who can login to a server. sssd.conf could include
something
like this:
access_provider = simple
simple_allow_groups = central_admins
and the included locally managed file could have
simple_allow_users = user01, user03, user42
I know we can do this in other ways with puppet, but this would
be simpler
and it seems to me an include feature might have other uses.
Hi, this enhancement is tentatively scheduled for 1.11: https://fedorahosted.org/sssd/ticket/1165
This request is subtly different. I opened a new ticket, https://fedorahosted.org/sssd/ticket/1264 to track this.
I'm not sure it's that complicated. I was asking for a vanilla include i.e. the include statement in sssd.conf is replaced with the contents of the file it references. I think that functionality can be used, as long as statements included have not already been used in the main file, to achieve my goal of controlling access to a server from 2 places. It would also cover the domain per file idea in ticket 1165. I definitely don't want local admins to be able to override the central admins ability to login. Local admins may not be as experienced as the central ones, so mistakes happen and central admins need access to fix things.
On 03/19/2012 07:25 PM, Greg.Lehmann@csiro.au wrote:
-----Original Message----- From: sssd-devel-bounces@lists.fedorahosted.org [mailto:sssd-devel- bounces@lists.fedorahosted.org] On Behalf Of Stephen Gallagher Sent: Monday, 19 March 2012 9:57 PM To: sssd-devel@lists.fedorahosted.org Subject: Re: [SSSD] sssd.conf include feature
On Mon, 2012-03-19 at 09:16 +0100, Jakub Hrozek wrote:
On Mon, Mar 19, 2012 at 06:24:53PM +1100, Greg.Lehmann@csiro.au
wrote:
Wondering about whether this feature exists or is planned to
exist? It is
for use in a shared administration environment. We have central administration and local administrators. It would allow a
central
configuration for sssd with local changes. Puppet could manage
the central
main file and include a user managed portion. We handle sudoers
in a
similar way. I guess the main use of this might be to allow
local admins
to control who can login to a server. sssd.conf could include
something
like this:
access_provider = simple
simple_allow_groups = central_admins
and the included locally managed file could have
simple_allow_users = user01, user03, user42
I know we can do this in other ways with puppet, but this would
be simpler
and it seems to me an include feature might have other uses.
Hi, this enhancement is tentatively scheduled for 1.11: https://fedorahosted.org/sssd/ticket/1165
This request is subtly different. I opened a new ticket, https://fedorahosted.org/sssd/ticket/1264 to track this.
I'm not sure it's that complicated. I was asking for a vanilla include i.e. the include statement in sssd.conf is replaced with the contents of the file it references. I think that functionality can be used, as long as statements included have not already been used in the main file, to achieve my goal of controlling access to a server from 2 places. It would also cover the domain per file idea in ticket 1165. I definitely don't want local admins to be able to override the central admins ability to login. Local admins may not be as experienced as the central ones, so mistakes happen and central admins need access to fix things.
The issue really arises when you start merging the configuration. What if you have overlapping sections and keys? How you handle them? Who wins? Luckily I started writing this code some time ago and now found some time to dust it off. I will try to get to it this week if other duties do not take preference.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
sssd-devel@lists.fedorahosted.org
-
Dmitri Pal -
Greg Lehmann -
Jakub Hrozek -
Stephen Gallagher