[Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

Birnbaum, Warren (ETW) Warren.Birnbaum at nike.com
Mon Feb 15 11:45:58 UTC 2016 

Thanks Lukas.  

Unfortunately setting up a IPA Ad Trust is something not possible within
our organization.  Is it then fair to say that waiting for Ticket #4623 is
our only option?  https://fedorahosted.org/freeipa/ticket/4634


Thanks,

Warren
___________________
Warren Birnbaum : Infrastructure Services
Digital Linux Infrastructure Services
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697






On 2/15/16, 12:36 PM, "Lukas Slebodnik" <lslebodn at redhat.com> wrote:

>On (15/02/16 09:34), Birnbaum, Warren (ETW) wrote:
>>Hello,
>>
>>I would like to get freeipa to work with a proxy solution ( I currently
>>have this working with an active directory/no trust authentication and
>>sudo but no HBAC) including HBAC.  I can get sudo to work but not HBAC.
>>I see there is a ticket for this as a new enhancement  #4634 but wanted
>>to confirm that there isn't another way to accomplish this.
>>
>>Here is my current configuration for proxy and this works OK:
>>
>>[domain/mikey.com]
>>sudo_provider = ipa
>>ipa_domain = va2.b2c.mikey.com
>>id_provider = ipa
>>auth_provider = ipa
>>access_provider = ipa
>>ipa_hostname = ip-10-12-177-28.va2.b2c.mikey.com
>>chpass_provider = ipa
>>ipa_server = _srv_, ip-10-12-177-24.va2.b2c.mikey.com
>>ldap_tls_cacert = /etc/ipa/ca.crt
>>
>>id_provider = proxy
>>proxy_lib_name = files
>>auth_provider = ldap
>>reconnection_retries = 3
>>ldap_uri = ldap://adldaplb.mikey.com
>>ldap_search_base = dc=ad,dc=mikey,dc=com?subtree?
>>ldap_schema = AD
>>ldap_default_authtok_type = password
>>ldap_network_timeout = 120
>>ldap_opt_timeout = 120
>>ldap_search_timeout = 120
>>ldap_id_use_start_tls = false
>>ldap_user_object_class = user
>>ldap_group_object_class = group
>>ldap_user_name = sAMAccountName
>>enumerate = true
>>ldap_referrals = true
>>ldap_tls_reqcert = allow
>>ldap_tls_cacertdir = /etc/openldap/cacerts
>>ldap_access_filter = *
>>case_sensitive = false
>>lookup_family_order = ipv4_only
>>dns_resolver_timeout = 30
>>cache_credentials = false
>>
>This configuration file is a little bit suspicious to me.
>There is mixed/overriden id_provider ipa and proxy + some parts from AD.
>
>HBAC can work only with IPA users or trusted AD users (IPA AD trust)
>HBAC cannot work with id_provider ldap, proxy or AD.
>You can achieve something similar with GPO and ad provider.
>
>LS

More information about the Freeipa-users mailing list