[Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Lukas Slebodnik
lslebodn at redhat.com
Mon Feb 15 11:36:18 UTC 2016
On (15/02/16 09:34), Birnbaum, Warren (ETW) wrote:
>Hello,
>
>I would like to get freeipa to work with a proxy solution ( I currently have this working with an active directory/no trust authentication and sudo but no HBAC) including HBAC. I can get sudo to work but not HBAC. I see there is a ticket for this as a new enhancement #4634 but wanted to confirm that there isn't another way to accomplish this.
>
>Here is my current configuration for proxy and this works OK:
>
>[domain/mikey.com]
>sudo_provider = ipa
>ipa_domain = va2.b2c.mikey.com
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = ip-10-12-177-28.va2.b2c.mikey.com
>chpass_provider = ipa
>ipa_server = _srv_, ip-10-12-177-24.va2.b2c.mikey.com
>ldap_tls_cacert = /etc/ipa/ca.crt
>
>id_provider = proxy
>proxy_lib_name = files
>auth_provider = ldap
>reconnection_retries = 3
>ldap_uri = ldap://adldaplb.mikey.com
>ldap_search_base = dc=ad,dc=mikey,dc=com?subtree?
>ldap_schema = AD
>ldap_default_authtok_type = password
>ldap_network_timeout = 120
>ldap_opt_timeout = 120
>ldap_search_timeout = 120
>ldap_id_use_start_tls = false
>ldap_user_object_class = user
>ldap_group_object_class = group
>ldap_user_name = sAMAccountName
>enumerate = true
>ldap_referrals = true
>ldap_tls_reqcert = allow
>ldap_tls_cacertdir = /etc/openldap/cacerts
>ldap_access_filter = *
>case_sensitive = false
>lookup_family_order = ipv4_only
>dns_resolver_timeout = 30
>cache_credentials = false
>
This configuration file is a little bit suspicious to me.
There is mixed/overriden id_provider ipa and proxy + some parts from AD.
HBAC can work only with IPA users or trusted AD users (IPA AD trust)
HBAC cannot work with id_provider ldap, proxy or AD.
You can achieve something similar with GPO and ad provider.
LS
More information about the Freeipa-users
mailing list