[Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Birnbaum, Warren (ETW)
Warren.Birnbaum at nike.com
Mon Feb 15 18:57:13 UTC 2016
Jakub,
I am very interested in your standalone HBAC PAM module if you think it
would apply in this situation. I would be happy to test it out if helpful.
Thanks again for you help,
Warren Birnbaum
___________________
Warren Birnbaum : Infrastructure Services
Digital Linux Infrastructure Services
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697
On 2/15/16, 5:16 PM, "Jakub Hrozek" <jhrozek at redhat.com> wrote:
>On Mon, Feb 15, 2016 at 03:58:15PM +0000, Birnbaum, Warren (ETW) wrote:
>> Jakub,
>>
>> We want to use password stored in AD and get a yes/no from the AD side.
>
>OK, I see. Yes, with IPA provider you would authenticate the IPA user
>against the IPA KDC.
>
>> My understanding (which is very limited) is that if we use the IPA
>> authentication then it resides in the local kerberos database. Is that
>> not correct? If I am completely off, how would I setup type of
>> authentication from IPA up?
>
>Normally with trusts.
>
>>
>> Thanks again,
>>
>> Warren
>> ___________________
>> Warren Birnbaum : Infrastructure Services
>> Digital Linux Infrastructure Services
>> Europe CDT Techn. Operations
>> Nike Inc. : Mobile +31 6 23902697
>>
>>
>>
>>
>>
>>
>> On 2/15/16, 4:08 PM, "Jakub Hrozek" <jhrozek at redhat.com> wrote:
>>
>> >On Mon, Feb 15, 2016 at 11:24:08AM +0000, Birnbaum, Warren (ETW) wrote:
>> >> Hi Jakub,
>> >>
>> >> Thanks but I have sudo working OK.
>> >
>> >I'm sorry, my fault..
>> >
>> >> What I am trying make work is HBAC.
>> >> That I can¹t get to work with the proxy hack. Is there a way to do
>> >>that?
>> >
>> >I haven't tested that use-case, but from the code it looks like it
>> >wouldn't work, because the HBAC code tries to match the originalDN of
>> >the user as stored on the IPA server.
>> >
>> >I'm finishing a standalone HBAC PAM module that could help in setups
>> >like this, but more importantly -- why do you have the user proxied
>>from
>> >files? Isn't it better to just rely on sssd's caching and fetch the
>>user
>> >from IPA?
>>
More information about the Freeipa-users
mailing list