[Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Jakub Hrozek
jhrozek at redhat.com
Mon Feb 15 15:08:40 UTC 2016
On Mon, Feb 15, 2016 at 11:24:08AM +0000, Birnbaum, Warren (ETW) wrote:
> Hi Jakub,
>
> Thanks but I have sudo working OK.
I'm sorry, my fault..
> What I am trying make work is HBAC.
> That I can¹t get to work with the proxy hack. Is there a way to do that?
I haven't tested that use-case, but from the code it looks like it
wouldn't work, because the HBAC code tries to match the originalDN of
the user as stored on the IPA server.
I'm finishing a standalone HBAC PAM module that could help in setups
like this, but more importantly -- why do you have the user proxied from
files? Isn't it better to just rely on sssd's caching and fetch the user
from IPA?
More information about the Freeipa-users
mailing list