[Freeipa-users] Is sssd currently useable with freeipa v2 ?
Oliver Burtchen
o.burtchen at gmx.de
Mon May 3 20:51:10 UTC 2010
Am Montag, 3. Mai 2010 21:17:35 schrieb Dmitri Pal:
> Stephen Gallagher wrote:
> > On 05/03/2010 02:55 PM, Rob Crittenden wrote:
> >> Oliver Burtchen wrote:
> >>> What are the exact service-names to use in --service? I know basically
> >>> they are the ones like in /etc/services, or what pam uses. But I
> >>> noticed that both ssh and sshd are applicable for ssh. Is there
> >>> somewhere a list or do they provide it by their selfs, and I can only
> >>> make a good guess and try.
> >>
> >> To be honest, I'm not sure myself. I'm guessing that sssd has a
> >> mechanism for determining this. I've filed
> >> https://bugzilla.redhat.com/show_bug.cgi?id=588412 to track this
> >> question.
> >
> > I'm going to let Sumit comment on the Bugzilla ticket, since he'd know
> > better, but I'm 99% certain that we get this directly from PAM (as in,
> > the application itself provides that data when making a PAM request).
> >
> > Looking at a recent auth I performed on my system, I see the raw PAM
> > data that comes in from (for example) 'su -l' is reported to us as
> > "service: su-l".
> >
> > My assumption is that SSSD's HBAC simply treats that as canonical.
>
> Thanks for reminding me. It now rings the bell. The service name is what
> application provides when uses pam calls. There is no full enumeration.
> It is whatever is used by an application.
> Having a good list would be nice though, at least identifying the
> applications that we already know use specific service names.
>
For the record: After reading Sumits reply at bugzilla and this
"In general, the service name is the name of the program used to access the
service, not the program used to provide the service. This is why the service
wu-ftpd, defines its service name as /etc/pam.d/ftp." quoted from
http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/s1-pam-
config-files.html
I tested it a little bit out:
If you set a hbac-rule with --service=su-l, it will only apply to "su -l" or
"su -", but not to a simple "su".
If you set a hbac-rule with --service=su, it will apply to "su -l", "su -"and
a simple "su".
So my assumption is, that applications do try from a specific name, down to the
general one. This is why "sshd" and "ssh" work. Or is it pam who does this
magic?
Btw: I also think a good list with well known services would be nice, so
someone who tries to set up wu-ftpd, like the example in the redhat-docu, uses
"ftp", and not "wu-ftpd". It's just a wish for the upcomming documentation.
;-)
Best regards,
Oli
--
Oliver Burtchen, Berlin
More information about the Freeipa-users
mailing list