On Wed, Jun 28, 2017 at 03:29:02PM +0100, Howard Johnson wrote: > Cheers for the feedback. > > On 2017-06-28 12:14, Alexander Bokovoy wrote: > > > We are going to introduce a special type of groups where membership > > reading would be limited to some conditions but this would not be > > relevant to HBAC, at least from my current understanding of the > > situation. This is to support organizational groups, not host-based > > access rights. > > I guess at worst for this we might need a new set of > role/privilege/permission that would allow viewing of all memberOf > attributes. > > > On ti, 27 kesä 2017, Jakub Hrozek wrote: > > > There were requests to implement authentication over the D-bus > > > interface > > > in the past and we were quite reluctant to them, but IIRC that was > > > because PAM handles prompting for the secrets, passing auth tokens and > > > it's just well battle-tested. > > Yeah, that absolutely makes sense. > > > > But I don't see the same issues with an authorization call. > > Excellent :) > > > > I would prefer another interface than infopipe (authzpipe?), but in > > > general, as long as the interface is restricted to authorization and > > > not > > > authentication, I don't see an inherent issue. > > Would the authzpipe be another interface provided by sssd_ifp, or would you > want another process (say, sssd_azp) to provide it?
I think reusing the same responder is OK, but I would prefer another interface. I don't know if we have any issues supporting multiple interfaces from the same process, but if we do, it's a bug and should be fixed. > > I guess then if I were to start working up some patches, I wouldn't be > wasting everyone's time? :) Could you please write up a design page first? Check e.g. https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html The source can be found in our docs repo: https://pagure.io/SSSD/docs here: https://pagure.io/SSSD/docs/blob/master/f/design_pages/non_posix_support.rst (submitting a PR against the docs repo is enough) _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
