[Freeipa-users] HBAC rules don't work with PAM - problem
Jan Pazdziora
jpazdziora at redhat.com
Tue May 12 07:39:49 UTC 2015
On Mon, May 11, 2015 at 08:52:08PM +0200, Vangass wrote:
> OK. But the answer granted/declined comes from IPA. So why IPA doesn't
> check its own HBAC rules at all?
> Maybe the line 'account required pam_sss.so' isn't
> necessary/required. I just want to do authentication by IPA HBAC rules.
Note that you can have setups when you don't authenticate via PAM
at all (for example when using Kerberos) yet you do authorization
(access control) using PAM. Authentication is not the correct place to
process HBAC rules.
In your case, nobody is arguing that the password used was correct --
authentication passed, the identity of the client was validated. The
application (tacacs) is supposed to do additional step, now that it
knows what user is attempting to log in -- verify authorization, fact
that the known user should be allowed in, with pam_acct_mgmt.
That's the why.
You could in theory force it to work by writing a wrapper PAM module
which would call both pam_sss's pam_sm_authenticate *and*
pam_sm_acct_mgmt for its pam_sm_authenticate call. But it would be
a hack, possibly with unexpected side effects.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list