[Freeipa-users] HBAC rules don't work with PAM - problem
Alexander Bokovoy
abokovoy at redhat.com
Mon May 11 19:04:14 UTC 2015
On Mon, 11 May 2015, Vangass wrote:
>OK. But the answer granted/declined comes from IPA. So why IPA doesn't
>check its own HBAC rules at all?
>Maybe the line 'account required pam_sss.so' isn't
>necessary/required. I just want to do authentication by IPA HBAC rules.
Authentication and account management stages are different in PAM. When
authentication is performed, it is separate step. When account
management is performed, it is a separate step as well.
HBAC rules are checked at account management stage because this is where
all such checks are done traditionally in PAM. If you read
documentation[1], it states:
=======================================================================
The pam_acct_mgmt function is used to determine if the users account is
valid. It checks for authentication token and account expiration and
verifies access restrictions. It is typically called after the user has
been authenticated.
=======================================================================
If application doesn't call into pam_acct_mgmt, it is not using PAM
stack separation of duties properly.
[1] http://linux.die.net/man/3/pam_acct_mgmt
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list