[Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Birnbaum, Warren (ETW)
Warren.Birnbaum at nike.com
Mon Feb 15 09:34:33 UTC 2016
Hello,
I would like to get freeipa to work with a proxy solution ( I currently have this working with an active directory/no trust authentication and sudo but no HBAC) including HBAC. I can get sudo to work but not HBAC. I see there is a ticket for this as a new enhancement #4634 but wanted to confirm that there isn't another way to accomplish this.
Here is my current configuration for proxy and this works OK:
[domain/mikey.com]
sudo_provider = ipa
ipa_domain = va2.b2c.mikey.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ip-10-12-177-28.va2.b2c.mikey.com
chpass_provider = ipa
ipa_server = _srv_, ip-10-12-177-24.va2.b2c.mikey.com
ldap_tls_cacert = /etc/ipa/ca.crt
id_provider = proxy
proxy_lib_name = files
auth_provider = ldap
reconnection_retries = 3
ldap_uri = ldap://adldaplb.mikey.com
ldap_search_base = dc=ad,dc=mikey,dc=com?subtree?
ldap_schema = AD
ldap_default_authtok_type = password
ldap_network_timeout = 120
ldap_opt_timeout = 120
ldap_search_timeout = 120
ldap_id_use_start_tls = false
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_name = sAMAccountName
enumerate = true
ldap_referrals = true
ldap_tls_reqcert = allow
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_access_filter = *
case_sensitive = false
lookup_family_order = ipv4_only
dns_resolver_timeout = 30
cache_credentials = false
Thanks for your help,
Warren Birnbaum
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160215/131b9fe0/attachment.htm>
More information about the Freeipa-users
mailing list