|
|
Post by ratagupt on Aug 19, 2021 14:21:04 GMT
Hi, In any given system which supports remote authentication as well as local authentication, User should be having a flexibility to choose the order of authentication. Valid values could be: - Local Only
- Remote Only
- Local followed by Remote
- Remote followed by Local
Why do we need that? Say if same user exist on the local unix database(/etc/passwd) as well as it exist on the ldap server, in that case this configuration helps which database(local or remote) needs to look up first. Internally it is controlled by the PAM configuration file. Ratan |
|
|
|
Post by mraineri on Aug 19, 2021 15:35:46 GMT
It's exactly for that use case; there are potential cases where there's an overlap in local account names and external account names. The feedback we received was that the behavior needs to be deterministic and interoperable, so that property was added to make it clear to users what behavior to expect. It's also a writable property, so administrators can control the behavior based on their policy requirements.
|
|
|
|
Post by ratagupt on Aug 20, 2021 8:09:20 GMT
It's exactly for that use case; there are potential cases where there's an overlap in local account names and external account names. The feedback we received was that the behavior needs to be deterministic and interoperable, so that property was added to make it clear to users what behavior to expect. It's also a writable property, so administrators can control the behavior based on their policy requirements. Sorry Mike, I was proposing this newProperty(AuthOrder) with the values given above as I thought this property is not there in the current account service schema, If I missed this property in the existing schema, Can you point me that? |
|
|
|
Post by mraineri on Aug 20, 2021 12:22:08 GMT
Oh, sorry, the bullet list is essentially exactly what we have defined for the possible values for "LocalAccountAuth", which is what I thought you were commenting on (and asking why that property is needed). "LocalAccountAuth" within AccountService can be set to one of four values that map to those exact behaviors you're looking for: - Enabled (Local only)
- Disabled (Remote only)
- Fallback (Remote first, then local)
- LocalFirst (Local first, then remote)
|
|
|
|
Post by ratagupt on Aug 22, 2021 4:17:02 GMT
Thanks Mike
|
|
