On 02/04/2016 09:45 AM, Simo Sorce wrote:
On Thu, 2016-01-28 at 11:24 +0100, Lukas Slebodnik wrote:
On (27/01/16 16:30), Nikolai Kondrashov wrote:
On 01/27/2016 04:17 PM, Lukas Slebodnik wrote:
You mention many options which could be possibly passed to tlog.
e.g.
TLOG_REC_CONF='{
"shell": "/bin/bash",
"warning": "WARNING! Your session is being recorded!\n",
"latency": 10,
"writer": "syslog",
"syslog": {
"facility": "authpriv",
"level": "info"
}
}'
Where will be these option stored? In LDAP?
No idea yet. Some of them definitely will, but likely not all.
In this case I would prefer to have the simplest change in sssd
as possible. https://fedorahosted.org/sssd/ticket/2893
SSSD should just enforce using tlog as a shell and provide
name of profile. This profile will be used by tlog to download
configuration (json) from webservice.
The similar approach was discussed with IPA integration with GNOME.
IIRC there is already POC; Alexander might know more.
Having tlog load data over a network would make it a lot more complex
and expose an attack surface.
+1.
It would also fail for offline cases.
Yes. In complete loss of connectivity this is not much useful (messages
wouldn't be delivered, but cached and I'm not sure what happens after space
runs out), there are still cases where only the configuration server would be
down.
For IPA integration we will also probably want to store this data in
LDAP, and not have to invent a new webservice, new authorization engine
and so on and so forth.
+1.
Nick
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
