On Tue, Mar 07, 2017 at 01:16:00PM +0100, Pavel Březina wrote: > On 03/06/2017 02:49 PM, Jakub Hrozek wrote: > > Hi, > > > > I prepared a design page for a new feature about fetching and > > authenticating non-POSIX users: > > https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html > > > > For your convenience, I'm also copying the .rst text below: > > > > Support for non-POSIX users and groups > > ====================================== > > > > Related ticket(s): > > ------------------ > > https://pagure.io/SSSD/sssd/issue/3310 > > I find this document quite hard to understand, so I want to ensure I get it > right: > > 1) You can't have one domain that return both posix and non-posix users.
Yes, to avoid inconsistencies between lookups of the same user mostly. > 2) PAM is allowed to login a non-posix users for given services. Yes, only for those configured with the application_services option. > 3) If CACHE_REQ_APP is used, non-posix domains are searched first then posix > domains. No, only non-POSIX domains are searched. > 4) If CACHE_REQ_POSIX is used, non-posix domains are skipped. Yes > 5) Non-posix domains require fully qualified name. Not in general. Because whether only POSIX or only non-POSIX domains are searched is restricted by the CACHE_REQ_APP/POSIX option, the only time you need to qualify a user is when you request the user through an interface that supports both POSIX and non-POSIX lookups and at the same time there is no 'hint' that would tell you the intent of the caller. That's basically only the IFP interface, because the PAM interface specifies the intent by selecting the right service. The other interfaces (NSS, SSH, sudo, ..) are strictly POSIX so they would only hit the POSIX domains in the first place. > 6) Posix users return only posix groups membership. Yes. > 7) Non-posix users return both posix and non-posix membership. Yes, because non-POSIX groups are a superset of POSIX group (as long as all POSIX groups also have the objectclass that the non-POSIX groups have). _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
