[CentOS] SSSD configuration

Sat Oct 27 18:22:07 UTC 2012
Gordon Messmer <yinyang at eburg.com>

On 10/24/2012 06:52 AM, Tomas Brandysky wrote:
> We're using LDAP authentication (nss_ldap package) on our Centos 5.8
> servers and have different PAM ldap configuration files configured to be
> used for specific PAM services.
> We didn't find out so far how to specify custom sssd configuration file
> (or specific part of the configuration section/domain) in PAM service
> configuration.

I'm not aware of a way to do this directly, and I'd be surprised if it 
were at all possible.  sssd was designed to move LDAP operations into a 
service to improve scalability and avoid LDAP operations before the 
network or LDAP server was available (among other reasons).  Since 
there's just one service, you're probably only going to see one PAM 
configuration with sssd.

I think most people would approach this problem using POSIX group 
membership to indicate service access, rather than a per-service ldap 
attribute.  You weren't specific about what LDAP filters you're 
applying, so I'm obviously making some assumptions.

Using group memberships, your PAM configuration could include pam_access 
with accessfile=<path>.  The access file could indicate on a per-service 
basis which group memberships were needed to grant access.

If you must use ldap filters directly, you'll probably have to use sssd 
for NSS, and install the old pam_ldap package.  It's still available, 
and you should be able to use it in conjunction with SSSD.