[Freeipa-users] Is sssd currently useable with freeipa v2 ?

Sumit Bose sbose at redhat.com
Mon May 3 21:16:46 UTC 2010 

On Mon, May 03, 2010 at 10:51:10PM +0200, Oliver Burtchen wrote:
> Am Montag, 3. Mai 2010 21:17:35 schrieb Dmitri Pal:
> > Stephen Gallagher wrote:
> > > On 05/03/2010 02:55 PM, Rob Crittenden wrote:
> > >> Oliver Burtchen wrote:
> > >>> What are the exact service-names to use in --service? I know basically
> > >>> they are the ones like in /etc/services, or what pam uses. But I
> > >>> noticed that both ssh and sshd are applicable for ssh. Is there
> > >>> somewhere a list or do they provide it by their selfs, and I can only
> > >>> make a good guess and try.
> > >>
> > >> To be honest, I'm not sure myself. I'm guessing that sssd has a
> > >> mechanism for determining this. I've filed
> > >> https://bugzilla.redhat.com/show_bug.cgi?id=588412 to track this
> > >> question.
> > >
> > > I'm going to let Sumit comment on the Bugzilla ticket, since he'd know
> > > better, but I'm 99% certain that we get this directly from PAM (as in,
> > > the application itself provides that data when making a PAM request).
> > >
> > > Looking at a recent auth I performed on my system, I see the raw PAM
> > > data that comes in from (for example) 'su -l' is reported to us as
> > > "service: su-l".
> > >
> > > My assumption is that SSSD's HBAC simply treats that as canonical.
> > 
> > Thanks for reminding me. It now rings the bell. The service name is what
> > application provides when uses pam calls. There is no full enumeration.
> > It is whatever is used by an application.
> > Having a good list would be nice though, at least identifying the
> > applications that we already know use specific service names.
> > 
> 
> For the record: After reading Sumits reply at bugzilla and this
> 
> "In general, the service name is the name of the program used to access the 
> service, not the program used to provide the service. This is why the service 
> wu-ftpd, defines its service name as /etc/pam.d/ftp." quoted from
> 
> http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/s1-pam-
> config-files.html
> 
> I tested it a little bit out:
> 
> If you set a hbac-rule with --service=su-l, it will only apply to "su -l" or 
> "su -", but not to a simple "su".
> 
> If you set a hbac-rule with --service=su, it will apply to "su -l", "su -"and 
> a simple "su".
> 
> So my assumption is, that applications do try from a specific name, down to the 
> general one. This is why "sshd" and "ssh" work. Or is it pam who does this 
> magic?

No it is not PAM, but some kind of error on my side. The strings sssd gets
from the LDAP server are not terminated with \0, but the size is known
(this is because the ASN.1 coding of the LDAP messages). I was lazy and
just compared up to the length return by LDAP. Although the effect might
look convenient I think this is an error. I'll try to fix it tomorrow.

bye,
Sumit

> 
> Btw: I also think a good list with well known services would be nice, so 
> someone who tries to set up wu-ftpd, like the example in the redhat-docu, uses 
> "ftp", and not "wu-ftpd". It's just a wish for the upcomming documentation.  
> ;-)
> 
> Best regards,
> Oli
> 
> 
> -- 
> Oliver Burtchen, Berlin
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list