[Freeipa-users] IPA, Multiple Backends
Kyle Flavin
kyle.flavin at gmail.com
Fri Aug 29 16:57:12 UTC 2014
Hi Jacob,
I'll give that a try shortly, and update with the result.
On Fri, Aug 29, 2014 at 9:43 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
> On 29 Aug 2014, at 18:33, Kyle Flavin <kyle.flavin at gmail.com> wrote:
>
> > I'm doing some testing to integrate FreeIPA into my environment. I need
> to setup two domains in sssd.conf; One is my fresh install of IPA, and the
> other is our legacy LDAP environment.
> >
> > I want to use IPA for ssh logins to servers. I want to be able to
> grant/deny SSH access through IPA. However, I still need the legacy LDAP
> connected to ensure our servers still see the same file level permissions
> in their content directories.
> >
> > I added two domains to SSSD (config below), and it works fine as far as
> seeing all accounts and groups. My problem is, SSSD is now allowing SSH
> access from both IPA and from LDAP. I don't want users in our legacy LDAP
> environment to be able to login to servers. Is there a way to say "allow
> SSH from this domain", and "disallow SSH from this other domain”?
>
> Can you try auth_provider=none in the domain that is not supposed to
> authenticate?
>
>
> >
>
> > Sanitized version of my sssd.conf:
> >
> > [domain/newipa.com]
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = newipa.com
> > id_provider = ipa
> > auth_provider = ipa
> > access_provider = ipa
> > ipa_hostname = client.newipa.com
> > chpass_provider = ipa
> > ipa_server = _srv_, ipaserver.newipa.com
> > ldap_tls_cacert = /etc/ipa/ca.crt
> >
> > [domain/oldldap.com]
> > #legacy LDAP
> > ldap_id_use_start_tls = True
> > cache_credentials = True
> > ldap_search_base = dc=oldldap,dc=com
> > id_provider = ldap
> > auth_provider = ldap
> > chpass_provider = ldap
> > ldap_uri = ldap://ldapserver.oldldap.com
> > #ldap_tls_cacertdir = /etc/openldap/cacerts
> > ldap_tls_reqcert = never
> >
> >
> > [sssd]
> > services = nss, pam, ssh
> > config_file_version = 2
> > domains = newipa.com, oldldap.com
> >
> >
> > Thanks.
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140829/80672a85/attachment.htm>
More information about the Freeipa-users
mailing list