URL: https://github.com/SSSD/sssd/pull/215 Author: jhrozek Title: #215: Support for non-POSIX users and groups Action: edited
Changed field: body Original value: """ This PR implements https://pagure.io/SSSD/sssd/issue/3310 The goal is to enable application users through the Apache modules or directly through the IFP interface and the PAM interface to authenticate users. To reproduce, you can add users w/o POSIX information like this to LDAP: dn: uid=nonposix,cn=users,cn=accounts,dc=ipa,dc=test displayName: new user uid: nonposix krbCanonicalName: nonpo...@ipa.test objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: mepOriginEntry initials: nu sn: user mail: nonpo...@ipa.test krbPrincipalName: nonpo...@ipa.test givenName: new cn: new user And optionally add the user to groups, like this: dn: cn=npgr2,cn=groups,cn=accounts,dc=ipa,dc=test objectClass: ipaobject objectClass: top objectClass: ipausergroup objectClass: groupofnames objectClass: nestedgroup cn: npgr2 member: uid=nonposix,cn=users,cn=accounts,dc=ipa,dc=test Then, the D-Bus calls like GetUserAttrs should resolve extra attributes of the users, the groups the users are in should be resolvable as well. In addition, PAM authentication should work against application domains as long as the service invoking the PAM conversation is listed in the 'pam_app_services' option. """
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
