[Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Jakub Hrozek
jhrozek at redhat.com
Mon Feb 15 16:16:58 UTC 2016
On Mon, Feb 15, 2016 at 03:58:15PM +0000, Birnbaum, Warren (ETW) wrote:
> Jakub,
>
> We want to use password stored in AD and get a yes/no from the AD side.
OK, I see. Yes, with IPA provider you would authenticate the IPA user
against the IPA KDC.
> My understanding (which is very limited) is that if we use the IPA
> authentication then it resides in the local kerberos database. Is that
> not correct? If I am completely off, how would I setup type of
> authentication from IPA up?
Normally with trusts.
>
> Thanks again,
>
> Warren
> ___________________
> Warren Birnbaum : Infrastructure Services
> Digital Linux Infrastructure Services
> Europe CDT Techn. Operations
> Nike Inc. : Mobile +31 6 23902697
>
>
>
>
>
>
> On 2/15/16, 4:08 PM, "Jakub Hrozek" <jhrozek at redhat.com> wrote:
>
> >On Mon, Feb 15, 2016 at 11:24:08AM +0000, Birnbaum, Warren (ETW) wrote:
> >> Hi Jakub,
> >>
> >> Thanks but I have sudo working OK.
> >
> >I'm sorry, my fault..
> >
> >> What I am trying make work is HBAC.
> >> That I can¹t get to work with the proxy hack. Is there a way to do
> >>that?
> >
> >I haven't tested that use-case, but from the code it looks like it
> >wouldn't work, because the HBAC code tries to match the originalDN of
> >the user as stored on the IPA server.
> >
> >I'm finishing a standalone HBAC PAM module that could help in setups
> >like this, but more importantly -- why do you have the user proxied from
> >files? Isn't it better to just rely on sssd's caching and fetch the user
> >from IPA?
>
More information about the Freeipa-users
mailing list