diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2017-03-26 18:28:41 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2017-03-30 14:09:52 +0200 |
commit | 3e789aa0bd6b7bb6e62f91458b76753498030fb5 (patch) | |
tree | d8c01ead785cc60ac9360cc8a49d91147acaa5ef /src/config | |
parent | 57eeec5d735c7a3bbe58299fded97414626d85f1 (diff) | |
download | sssd-3e789aa0bd6b7bb6e62f91458b76753498030fb5.tar.gz sssd-3e789aa0bd6b7bb6e62f91458b76753498030fb5.tar.xz sssd-3e789aa0bd6b7bb6e62f91458b76753498030fb5.zip |
PAM: Add application services
Related to:
https://pagure.io/SSSD/sssd/issue/3310
Adds a new PAM responder option 'pam_app_services'. This option can hold
a list of PAM services that are allowed to contact the application
non-POSIX domains. These services are NOT allowed to contact any of the
POSIX domains.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/config')
-rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 1 | ||||
-rw-r--r-- | src/config/cfg_rules.ini | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.conf | 1 |
3 files changed, 3 insertions, 0 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 070994bcd..a29d51e0d 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -102,6 +102,7 @@ option_strings = { 'pam_cert_auth' : _('Allow certificate based/Smartcard authentication.'), 'pam_cert_db_path' : _('Path to certificate databse with PKCS#11 modules.'), 'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'), + 'pam_app_services' : _('Which PAM services are permitted to contact application domains'), # [sudo] 'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 8fd2d2c52..1a749db75 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -119,6 +119,7 @@ option = pam_account_locked_message option = pam_cert_auth option = pam_cert_db_path option = p11_child_timeout +option = pam_app_services [rule/allowed_sudo_options] validator = ini_allowed_options diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index a38b24208..a1a0c2992 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -73,6 +73,7 @@ pam_account_locked_message = str, None, false pam_cert_auth = bool, None, false pam_cert_db_path = str, None, false p11_child_timeout = int, None, false +pam_app_services = str, None, false [sudo] # sudo service |