PAM: new options pam_trusted_users & pam_public_domains

pam_public_domains option is a list of numerical UIDs or user names
that are trusted.

pam_public_domains option is a list of domains accessible even for
untrusted users.

Based on:
https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

2 files changed, 4 insertions, 0 deletions

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 9a49b91b9..ee48094d0 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -82,6 +82,8 @@ option_strings = {
     'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'),
     'pam_id_timeout' : _('How many seconds to keep identity information cached for PAM requests'),
     'pam_pwd_expiration_warning' : _('How many days before password expiration a warning should be displayed'),
+    'pam_trusted_users' : _('List of trusted uids or user\'s name'),
+    'pam_public_domains' : _('List of domains accessible even for untrusted users.'),
 
     # [sudo]
     'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 52629ded4..c47ce348c 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -55,6 +55,8 @@ pam_verbosity = int, None, false
 pam_id_timeout = int, None, false
 pam_pwd_expiration_warning = int, None, false
 get_domains_timeout = int, None, false
+pam_trusted_users = str, None, false
+pam_public_domains = str, None, false
 
 [sudo]
 # sudo service