10.4. Restricting Domains for PAM services
pam_ldap, which were able to use a separate configuration file as a parameter for a PAM module.
Options to Restrict Access to Domains
- This option accepts a list of numerical UIDs or user names representing the PAM services that are to be trusted by SSSD. The default setting is
all, which means all service users are trusted and can access any domain.
- This option accepts a list of public SSSD domains. Public domains are domains accessible even for untrusted PAM service users. The option also accepts the
nonevalues. The default value is
none, which means no domains are public and untrusted service users therefore cannot access any domain.
domainsfor PAM configuration files
- This option specifies a list of domains against which a PAM service can authenticate. If you use
domainswithout specifying any domain, the PAM service will not be able to authenticate against any domain, for example:
auth required pam_sss.so domains=If
domainsis not used in the PAM configuration file, the PAM service is able to authenticate against all domains, on the condition that the service is running under a trusted user.The
domainsoption in the
/etc/sssd/sssd.confSSSD configuration file also specifies a list of domains to which SSSD attempts to authenticate. Note that the
domainsoption in a PAM configuration file cannot extend the list of domains in
sssd.conf, it can only restrict the
sssd.conflist of domains by specifying a shorter list. Therefore, if a domain is specified in the PAM file but not in
sssd.conf, the PAM service will not be able to authenticate against the domain.
pam_trusted_users = alland
pam_public_domains = nonespecify that all PAM service users are trusted and can access any domain. The
domainsoption for PAM configuration files can be used in this situation to restrict the domains that can be accessed.
domainsin the PAM configuration file while
pam_public_domains, it might be required to specify the domain in
pam_public_domainsas well. If
pam_public_domainsis used but does not include the required domain, the PAM service will not be able to successfully authenticate against the domain if it is running under an untrusted user.
pam_public_domainsoptions, see the sssd.conf(5) man page. For more information about the
domainsoption used in PAM configuration files, see the pam_sss(8) man page.
Example 10.2. Restricting Domains for a PAM Service
- Make sure SSSD is configured to access the required domain or domains. The domains against which SSSD can authenticate are defined in the
domainsoption in the
[sssd] domains = domain1, domain2, domain3
- Specify the domain or domains to which a PAM service will be able to authenticate. To do this, set the
domainsoption in the PAM configuration file. For example:
auth sufficient pam_sss.so forward_pass domains=domain1 account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok