On Mon, 29 Sep 2014 15:28:28 +0200
Jan Pazdziora wrote:
> On Tue, Sep 23, 2014 at 10:03:36AM -0400, Simo Sorce wrote:
> >
> > I would defer this to when we have actual requests for it.
> > I am not necessarily opposed but it will be confusing. You see a
> > list of domains (or even 'none') and t
On Tue, Sep 23, 2014 at 10:03:36AM -0400, Simo Sorce wrote:
>
> I would defer this to when we have actual requests for it.
> I am not necessarily opposed but it will be confusing. You see a list
> of domains (or even 'none') and then you have to (at least
> mentally) parse all the code snippets to
On Tue, Sep 23, 2014 at 11:01:22AM -0400, Simo Sorce wrote:
> > > > Normally, the list of allowed domains for untrusted users should
> > > > be 'all', which is the current behavirour. However, if the
> > > > trusted user list is set, we should default to 'none' and require
> > > > that access to un
On Tue, 23 Sep 2014 16:54:45 +0200
Jakub Hrozek wrote:
> On Tue, Sep 23, 2014 at 10:03:36AM -0400, Simo Sorce wrote:
> > On Tue, 23 Sep 2014 15:39:19 +0200
> > Jakub Hrozek wrote:
> >
> > > On Tue, Sep 23, 2014 at 09:07:06AM -0400, Simo Sorce wrote:
> > > > > Simo, does the design page reflect
On Tue, Sep 23, 2014 at 10:03:36AM -0400, Simo Sorce wrote:
> On Tue, 23 Sep 2014 15:39:19 +0200
> Jakub Hrozek wrote:
>
> > On Tue, Sep 23, 2014 at 09:07:06AM -0400, Simo Sorce wrote:
> > > > Simo, does the design page reflect the discussion accurately? Can
> > > > we start on the implementation
On Tue, 23 Sep 2014 15:39:19 +0200
Jakub Hrozek wrote:
> On Tue, Sep 23, 2014 at 09:07:06AM -0400, Simo Sorce wrote:
> > > Simo, does the design page reflect the discussion accurately? Can
> > > we start on the implementation?
> >
> > Yes I made a minor edit to the password change clause, should
On Tue, Sep 23, 2014 at 09:07:06AM -0400, Simo Sorce wrote:
> > Simo, does the design page reflect the discussion accurately? Can we
> > start on the implementation?
>
> Yes I made a minor edit to the password change clause, should we add a
> test point about it too ?
>
> Simo.
Ah, thank you ver
On Tue, 23 Sep 2014 11:22:45 +0200
Jakub Hrozek wrote:
> On Mon, Sep 22, 2014 at 05:13:32PM +0200, Jakub Hrozek wrote:
> > On Mon, Sep 22, 2014 at 03:58:50PM +0200, Jan Pazdziora wrote:
> > > On Mon, Sep 22, 2014 at 03:54:09PM +0200, Jakub Hrozek wrote:
> > > >
> > > > >
> > > > > Why eactly do
On Mon, Sep 22, 2014 at 05:13:32PM +0200, Jakub Hrozek wrote:
> On Mon, Sep 22, 2014 at 03:58:50PM +0200, Jan Pazdziora wrote:
> > On Mon, Sep 22, 2014 at 03:54:09PM +0200, Jakub Hrozek wrote:
> > >
> > > >
> > > > Why eactly does the list of domains need to be protected by the list
> > > > of ui
On Mon, Sep 22, 2014 at 03:58:50PM +0200, Jan Pazdziora wrote:
> On Mon, Sep 22, 2014 at 03:54:09PM +0200, Jakub Hrozek wrote:
> >
> > >
> > > Why eactly does the list of domains need to be protected by the list
> > > of uids?
> >
> > Apparently the rest of the PAM data can be faked by the clien
On Mon, Sep 22, 2014 at 03:54:09PM +0200, Jakub Hrozek wrote:
>
> >
> > Why eactly does the list of domains need to be protected by the list
> > of uids?
>
> Apparently the rest of the PAM data can be faked by the client.
How is that worse than the current situation when the client can pass
"u.
On Mon, Sep 22, 2014 at 02:03:51PM +0200, Jan Pazdziora wrote:
> On Fri, Sep 19, 2014 at 08:26:48PM +0200, Jakub Hrozek wrote:
> >
> > === Overview of the solution ===
> > On the PAM client side, the PAM module should receive a new option that
> > specifies the SSSD domains to authenticate against
On Fri, Sep 19, 2014 at 08:26:48PM +0200, Jakub Hrozek wrote:
>
> === Overview of the solution ===
> On the PAM client side, the PAM module should receive a new option that
> specifies the SSSD domains to authenticate against. However, the SSSD
> daemon can't fully trust all PAM services. We can't
Hi,
I have prepared a wiki page summarizing the discussion that happened
previously on this list:
https://lists.fedorahosted.org/pipermail/sssd-devel/2014-July/020867.html
Here is the wiki page:
https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM
For your convenience, I copied the
14 matches
Mail list logo