Chapter 26. Policy: Restricting Domains for PAM services
pam_ldapwere able to use a separate configuration file as a parameter for a PAM module. This chapter describes a similar feature for SSSD.
- pam_trusted_users (for
- This option accepts a list of numerical UIDs or user names that are to be trusted by the SSSD daemon. The default value is the special keyword
all, which means all users are trusted. This is in line with the current behavior where any user can access any domain.
- pam_public_domains (for
- This option accepts a comma-separated list of SSSD domains accessible even for untrusted users. Two special keywords,
none, are also available. The default value is
noneto make sure that when the administrator starts differentiating between trusted and untrusted domains, he or she is required to manually specify the domains that can be accessed by an untrusted client.
- domains (for individual PAM module configuration)
- This option accepts a list of domains to which a PAM service will be restricted to authenticate against. The setting interacts with the
domains=option in the
/etc/sssd/sssd.conffile, which specifies the list of domains in the order SSSD will query. The PAM module configuration cannot add to this list but can restrict it by specifying a shorter list.
Example 26.1. Sample PAM Module Configuration
/etc/pam.d/configuration file has the following form:
module-type control-flag module-path arguments
openldapdomain and the
pam_envmodule to set/unset environment variables is allowed for all users.
$ cat /etc/pam.d/sss_test auth required pam_sss.so domains=openldap account required pam_sss.so domains=openldap session required pam_sss.so domains=openldap password required pam_sss.so domains=openldap
/etc/sssd/sssd.confcan look like this:
[sssd] domains = ipa, openldap # the list can be restricted by specific PAM module configuration [pam] pam_public_domains = ipa # all users are allowed to access the ipa domain pam_trusted_users = root, sss_test # root and sss_test are allowed to run PAM