Added support for SSSD (#311)

FredHutch · Apr 16, 2020 · ee1666c · ee1666c
1 parent eb1041d
commit ee1666c
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/deployment/docker/app/Dockerfile b/deployment/docker/app/Dockerfile
@@ -32,6 +32,8 @@ RUN set -x \
     && apt-get install -y --no-install-recommends --no-install-suggests \
         krb5-user \
         libpam-krb5 \
+        sssd \
+        libpam-sss \
         sudo \
         curl \
         unzip \

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -22,15 +22,18 @@ x-variables:
             - /etc/group:/etc/group:ro
             - /etc/shadow:/etc/shadow:ro
 
-            # Authentication
-            # passwd/group should be mounted into any container
-            # needing to share the user/group IDs
-            # This is the setup for Fred Hutch where we use Ubuntu; for Red Hat you would
-            # want to use SSSD.
+            # Authentication:
+            # passwd/group should be mounted into any container needing to share the user/group IDs
             - /var/run/nscd/socket:/var/run/nscd/socket
             - /etc/krb5.conf:/etc/krb5.conf
             - /etc/pam.d:/etc/pam.d
 
+            # Volumes to enable SSSD authentication via PAM in the app container sharing configuration on
+            # host to support remote authenticaion backends such as Active Directory, LDAP, and FreeIPA
+            - /var/lib/sss/pipes:/var/lib/sss/pipes
+            - /var/lib/sss/mc:/var/lib/sss/mc:ro
+            - /etc/sssd/sssd.conf:/etc/sssd/sssd.conf
+
             # Authentication cannot mount individual files, because the mapping is
             # based on the inode
             - /etc:/etc:ro