CentOS - Oct 2012 - SSSD configuration

Hello,

we're upgrading from Centos 5.8 to Centos 6.3 and have realized few
things have changed in the system.

We're using LDAP authentication (nss_ldap package) on our Centos 5.8
servers and have different PAM ldap configuration files configured to be
used for specific PAM services.

Here is the example of our setup:

/etc/pam.d/service1:
 auth        sufficient    pam_ldap.so config=/etc/ldap_service1.conf

/etc/pam.d/service2:
 auth        sufficient    pam_ldap.so config=/etc/ldap_service2.conf

Thus we can use specific LDAP filters for various different services as
not all users having access to one service also have access to other
services on the same server.

Now we're facing the problem to manage the same functionality with
System Security Services Daemon (SSSD) which was newly presented with
RHEL 6.

We didn't find out so far how to specify custom sssd configuration file
(or specific part of the configuration section/domain) in PAM service
configuration. According to documentation only these options can be
specified when using pam_sss module: [forward_pass] [use_first_pass]
[use_authtok].

None of them can be used to make a difference in a ldap filter to be used.

Is there a way how to configure specific search filters depending on PAM
service ?

Thank you for any suggestion

Regards

Tomas Brandysky

On 10/24/2012 06:52 AM, Tomas Brandysky wrote:
> We're using LDAP authentication (nss_ldap package) on our Centos 5.8
> servers and have different PAM ldap configuration files configured to be
> used for specific PAM services.
...
> We didn't find out so far how to specify custom sssd configuration file
> (or specific part of the configuration section/domain) in PAM service
> configuration.
I'm not aware of a way to do this directly, and I'd be surprised if it 
were at all possible.  sssd was designed to move LDAP operations into a 
service to improve scalability and avoid LDAP operations before the 
network or LDAP server was available (among other reasons).  Since 
there's just one service, you're probably only going to see one PAM 
configuration with sssd.

I think most people would approach this problem using POSIX group 
membership to indicate service access, rather than a per-service ldap 
attribute.  You weren't specific about what LDAP filters you're 
applying, so I'm obviously making some assumptions.

Using group memberships, your PAM configuration could include pam_access 
with accessfile=<path>.  The access file could indicate on a per-service 
basis which group memberships were needed to grant access.

If you must use ldap filters directly, you'll probably have to use sssd 
for NSS, and install the old pam_ldap package.  It's still available, 
and you should be able to use it in conjunction with SSSD.