[Freeipa-users] IPA, Multiple Backends

[Jakub Hrozek]

On 29 Aug 2014, at 18:33, Kyle Flavin <kyle.flavin at gmail.com> wrote:

> I'm doing some testing to integrate FreeIPA into my environment.  I need to setup two domains in sssd.conf; One is my fresh install of IPA, and the other is our legacy LDAP environment.
> 
> I want to use IPA for ssh logins to servers.  I want to be able to grant/deny SSH access through IPA.  However, I still need the legacy LDAP connected to ensure our servers still see the same file level permissions in their content directories.
> 
> I added two domains to SSSD (config below), and it works fine as far as seeing all accounts and groups.  My problem is, SSSD is now allowing SSH access from both IPA and from LDAP.  I don't want users in our legacy LDAP environment to be able to login to servers.  Is there a way to say "allow SSH from this domain", and "disallow SSH from this other domain”?

Can you try auth_provider=none in the domain that is not supposed to authenticate?


> 

> Sanitized version of my sssd.conf:
> 
> [domain/newipa.com]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = newipa.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = client.newipa.com
> chpass_provider = ipa
> ipa_server = _srv_, ipaserver.newipa.com
> ldap_tls_cacert = /etc/ipa/ca.crt
> 
> [domain/oldldap.com]
> #legacy LDAP
> ldap_id_use_start_tls = True
> cache_credentials = True
> ldap_search_base = dc=oldldap,dc=com
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> ldap_uri = ldap://ldapserver.oldldap.com
> #ldap_tls_cacertdir = /etc/openldap/cacerts
> ldap_tls_reqcert = never
> 
> 
> [sssd]
> services = nss, pam, ssh
> config_file_version = 2
> domains = newipa.com, oldldap.com
> 
> 
> Thanks.
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project