[Freeipa-users] HBAC rules don't work with PAM - problem
Vangass
vangass at gazeta.pl
Wed May 13 07:38:10 UTC 2015
OK. I understand.
Thank You for an answer.
2015-05-12 9:39 GMT+02:00 Jan Pazdziora <jpazdziora at redhat.com>:
> On Mon, May 11, 2015 at 08:52:08PM +0200, Vangass wrote:
> > OK. But the answer granted/declined comes from IPA. So why IPA doesn't
> > check its own HBAC rules at all?
> > Maybe the line 'account required pam_sss.so' isn't
> > necessary/required. I just want to do authentication by IPA HBAC rules.
>
> Note that you can have setups when you don't authenticate via PAM
> at all (for example when using Kerberos) yet you do authorization
> (access control) using PAM. Authentication is not the correct place to
> process HBAC rules.
>
> In your case, nobody is arguing that the password used was correct --
> authentication passed, the identity of the client was validated. The
> application (tacacs) is supposed to do additional step, now that it
> knows what user is attempting to log in -- verify authorization, fact
> that the known user should be allowed in, with pam_acct_mgmt.
>
> That's the why.
>
> You could in theory force it to work by writing a wrapper PAM module
> which would call both pam_sss's pam_sm_authenticate *and*
> pam_sm_acct_mgmt for its pam_sm_authenticate call. But it would be
> a hack, possibly with unexpected side effects.
>
> --
> Jan Pazdziora
> Senior Principal Software Engineer, Identity Management Engineering, Red
> Hat
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150513/56e36555/attachment.htm>
More information about the Freeipa-users
mailing list