[pmg-devel] [PATCH pve-common/proxmox-perl-rs/pmg-api/pmg-gui v3 0/8] fix #3892: OpenID
Christoph Heiss
c.heiss at proxmox.com
Fri Nov 22 10:12:15 CET 2024
On Thu, Nov 14, 2024 at 05:19:38PM +0100, Markus Frank wrote:
> Thanks for the review and sorry for the late reply.
>
> Comments inline:
>
> On 2024-10-09 13:30, Christoph Heiss wrote:
> > Just tested this series using Keycloak 26.0.0 as an OpenID provider.
> > [..]
> >
> > I noticed however that there seems to be no dedicated PAM realm in the
> > login window, only PMG authentication server - but you can still login
> > with PAM credentials. These two should be real separate realms, much
> > like we have it for PVE/PBS.
> But you can only login as root with PAM afaict.
> Should we separate it just for the root user or are we planning to add PAM login for other users?
Hm, not sure - or at least not for me to decide.
But - it was a bit surprising/confusing, since you can set PMG as
authentication realm and then use root (at) pam as username. Especially
also when comparing to PVE/PBS, how it works there.
I guess just for the sake of consistency between products would be worth
it to split them. Although user creation/management for such a PAM realm
can be left for later, as to not explode this series.
More information about the pmg-devel
mailing list