We have some servers in a mixed RH5/RH6 enthat need to authenticate to one of two LDAP services. This is implemented in SSSD and is running fine. Users from either domain can login successfully and where there is a username overlap the correct domain takes precedence.
The wrinkle is that we have a script run through pam_exec that needs to run only for one of the two domains.
In later versions of PAM such as that provided with RH6 I can exploit the [domains=X] syntax like so:
account [default=bad success=done user_unknown=ignore] pam_sss.so domains=domain_without_login_script
account [default=bad success=ok user_unknown=ignore] pam_sss.so domains=domain_with_login_script
(I don't know that this will work, as I haven't tested it, since the functionality isn't available to me on the RH5 systems. For the first domain, any subsequent modules in the stack are ignored; not sure how to get around this if I needed to.)
Anyway, with RH5 there is no such flag to pam_sss, and further, there is nothing in the PAM or login environment that I can see that includes this information. It would be nice for example if I could have something like:
#!/usr/bin/perl -w
# do not process users from X domain
exit(0) if $ENV{'SSSD_Domain'} eq "domain_without_login_script";
So far the only solutions I have come up with are kludgy. The UIDs from each domain will be different even where there is username overlap, so since the correct accounts are being selected, I can check the UIDs:
#!/usr/bin/perl -w
# get authenticating user from environment
use Env qw(PAM_USER);
# do not process users from X domain
my $uid = getpwnam($PAM_USER);
my $domainXuid = getpwnam("$PAM_USER\@domain_without_login_script");
exit(0) if ($uid == $domainXuid); # i.e. authenticated domain is X domain
This seems hokey to me. Does anybody know of a better way?
