On Thu, 2015-08-20 at 00:54 +0200, Michael Ströder wrote:
> Dmitri Pal wrote:
> > On 08/19/2015 03:53 PM, Jakub Hrozek wrote:
> > > On Wed, Aug 19, 2015 at 09:49:22PM +0530, Rajnesh Kumar Siwal
> > > wrote:
> > > > Any suggested workaround .
> > > You can use nss-pam-ldapd just for the hosts database and sssd
> > > for the
> > > rest, you can use different views or different servers altogether
> > > for
> > > public/private views.
> > >
> > > btw this is the first time I've heard a request for hosts support
> > > in
> > > sssd, so I don't think it's something that can be expected,
> > > unless
> > > someone steps in and implements the maps.
> >
> > People usually use DNS for that and it is the recommended way of
> > doing
> > things.
> > BTW if you want LDAP managed host entries you can use FreeIPA and
> > it
> > comes with DNS to solve this issue.
>
> But DNS is not subject to access control. Yes, I also already thought
> about
> making host entries visible only to specific hosts.
>
Hmm, access-control is the first good argument I've heard for
supporting hosts in LDAP as opposed to DNS[SEC]. Historically, we've
ignored the hosts map in SSSD because we reasoned that dnsmasq was a
better caching solution for hosts than LDAP. However, being able to
restrict what machines have access to the hosts is actually an
interesting use-case.
If you have a RHEL subscription, I'd encourage you to contact your
support representative to make a formal request for inclusion of the
hosts map in SSSD. If you do not, please file an RFE at
https://fedorahosted.org/sssd with this justification and upstream will
consider it for inclusion in a future release.
Although a case can be made, it sounds an awful lot like security
through obscurity ...
It may be better to use DNS and ACLS in bind to restrict who (as in IP
addresses) can see a zone.
Simo.
--
Simo Sorce * Red Hat, Inc * New York