[Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Birnbaum, Warren (ETW)
Warren.Birnbaum at nike.com
Mon Feb 15 15:58:15 UTC 2016
Jakub,
We want to use password stored in AD and get a yes/no from the AD side.
My understanding (which is very limited) is that if we use the IPA
authentication then it resides in the local kerberos database. Is that
not correct? If I am completely off, how would I setup type of
authentication from IPA up?
Thanks again,
Warren
___________________
Warren Birnbaum : Infrastructure Services
Digital Linux Infrastructure Services
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697
On 2/15/16, 4:08 PM, "Jakub Hrozek" <jhrozek at redhat.com> wrote:
>On Mon, Feb 15, 2016 at 11:24:08AM +0000, Birnbaum, Warren (ETW) wrote:
>> Hi Jakub,
>>
>> Thanks but I have sudo working OK.
>
>I'm sorry, my fault..
>
>> What I am trying make work is HBAC.
>> That I can¹t get to work with the proxy hack. Is there a way to do
>>that?
>
>I haven't tested that use-case, but from the code it looks like it
>wouldn't work, because the HBAC code tries to match the originalDN of
>the user as stored on the IPA server.
>
>I'm finishing a standalone HBAC PAM module that could help in setups
>like this, but more importantly -- why do you have the user proxied from
>files? Isn't it better to just rely on sssd's caching and fetch the user
>from IPA?
More information about the Freeipa-users
mailing list