On 01/28/2016 12:24 PM, Lukas Slebodnik wrote:
On (27/01/16 16:30), Nikolai Kondrashov wrote:
On 01/27/2016 04:17 PM, Lukas Slebodnik wrote:
You mention many options which could be possibly passed to tlog.
e.g.
TLOG_REC_CONF='{
"shell": "/bin/bash",
"warning": "WARNING! Your session is being recorded!\n",
"latency": 10,
"writer": "syslog",
"syslog": {
"facility": "authpriv",
"level": "info"
}
}'
Where will be these option stored? In LDAP?
No idea yet. Some of them definitely will, but likely not all.
In this case I would prefer to have the simplest change in sssd
as possible. https://fedorahosted.org/sssd/ticket/2893
SSSD should just enforce using tlog as a shell and provide
name of profile. This profile will be used by tlog to download
configuration (json) from webservice.
The similar approach was discussed with IPA integration with GNOME.
IIRC there is already POC; Alexander might know more.
I think I understand the idea and perhaps storing configuration on a
webservice is fine. However, aren't we forgoing all the management
functionality LDAP provides by putting the configuration on a webservice?
I mean per-user, per-group, per-host, per-whatever configuration? Wouldn't
that require reimplementing them in that webservice? I don't really know much
about how that operates, and maybe that's fine, though.
Then, it just feels wrong to give the lowly recording tool the direct
knowledge of and the direct access to the management system at large. Doesn't
this bypass all the configuration management channels and don't we lose
control here? I.e. caching, offline mode, possible local overrides, etc.?
Also, this means tlog would download this configuration on every session
start, which wouldn't scale that well on hosts with many users, where sssd
could cache that instead.
Still, I guess this is good enough for the start.
Nick
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
