[Freeipa-users] IPA, Multiple Backends

Kyle Flavin kyle.flavin at gmail.com
Fri Aug 29 17:44:22 UTC 2014 

That's doing what I need!  Thank you.


On Fri, Aug 29, 2014 at 9:57 AM, Kyle Flavin <kyle.flavin at gmail.com> wrote:

> Hi Jacob,
> I'll give that a try shortly, and update with the result.
>
>
> On Fri, Aug 29, 2014 at 9:43 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
>>
>> On 29 Aug 2014, at 18:33, Kyle Flavin <kyle.flavin at gmail.com> wrote:
>>
>> > I'm doing some testing to integrate FreeIPA into my environment.  I
>> need to setup two domains in sssd.conf; One is my fresh install of IPA, and
>> the other is our legacy LDAP environment.
>> >
>> > I want to use IPA for ssh logins to servers.  I want to be able to
>> grant/deny SSH access through IPA.  However, I still need the legacy LDAP
>> connected to ensure our servers still see the same file level permissions
>> in their content directories.
>> >
>> > I added two domains to SSSD (config below), and it works fine as far as
>> seeing all accounts and groups.  My problem is, SSSD is now allowing SSH
>> access from both IPA and from LDAP.  I don't want users in our legacy LDAP
>> environment to be able to login to servers.  Is there a way to say "allow
>> SSH from this domain", and "disallow SSH from this other domain”?
>>
>> Can you try auth_provider=none in the domain that is not supposed to
>> authenticate?
>>
>>
>> >
>>
>> > Sanitized version of my sssd.conf:
>> >
>> > [domain/newipa.com]
>> > cache_credentials = True
>> > krb5_store_password_if_offline = True
>> > ipa_domain = newipa.com
>> > id_provider = ipa
>> > auth_provider = ipa
>> > access_provider = ipa
>> > ipa_hostname = client.newipa.com
>> > chpass_provider = ipa
>> > ipa_server = _srv_, ipaserver.newipa.com
>> > ldap_tls_cacert = /etc/ipa/ca.crt
>> >
>> > [domain/oldldap.com]
>> > #legacy LDAP
>> > ldap_id_use_start_tls = True
>> > cache_credentials = True
>> > ldap_search_base = dc=oldldap,dc=com
>> > id_provider = ldap
>> > auth_provider = ldap
>> > chpass_provider = ldap
>> > ldap_uri = ldap://ldapserver.oldldap.com
>> > #ldap_tls_cacertdir = /etc/openldap/cacerts
>> > ldap_tls_reqcert = never
>> >
>> >
>> > [sssd]
>> > services = nss, pam, ssh
>> > config_file_version = 2
>> > domains = newipa.com, oldldap.com
>> >
>> >
>> > Thanks.
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go To http://freeipa.org for more info on the project
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140829/79c6ca4b/attachment.htm>

More information about the Freeipa-users mailing list