We currently use sssd for ldap auth using a domain called domain/LDAP, which has an ldap_access_filter to control who can ssh in to various servers.
What I want to do is add another domain that also does LDAP auth, but has a different ldap_access_filter. I want to reference this in a pam module.
The reason I want to do this is so that I can have openvpn use the pam plugin to auth users against LDAP. Older versions of CentOS used to ship with a plugin that did ldap auth directly, but apparently pam+sssd is the way to do it these days. This is pretty irrelevant for my current problem, just provides a back story.
So, again, I'm on CentOS 7.2 w/all updates - which means sssd version 1.13.
My sssd.conf has [domains/LDAP] and [domains/VPN]. In the [sssd] section I have both listed in my domains=. Unfortunately it appears that you must list all domains here, in the order you want them to be queried. I'd rather not, I'd prefer to have it only use LDAP unless I've specifically told it to use VPN - but this doesn't seem to be valid.
So I have: domains = LDAP, VPN
Now, my pam config in /etc/pam.d/openvpn has: auth sufficient pam_sss.so domains=VPN auth required pam_deny.so
I think I'm going to have to edit my system-auth, etc to have domains=LDAP specifically, so that sssd doesn't also query VPN users per the behavior of domains= in sssd.conf mentioned earlier. But I've not done that yet.
So here is my problem. In my pam config, the "pam_sss.so domains=XXX" only works if XXX is the first domain listed in sssd.conf's domains=. So if I have "pam_sss.so domains=VPN" and in sssd.conf I have "domains=VPN LDAP" then it works, but NOT if I have "domains = LDAP VPN". And vice versa. I'm testing with "pamtester -v openvpn username authenticate".
Am I missing something obvious? I've read the man pages, and I'm not finding any solid examples of others doing the same thing, which is really surprising. You'd think with the openvpn use case alone this would be quite common, not to mention how useful it is for other things.
[link] [comments]