[Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

Birnbaum, Warren (ETW) Warren.Birnbaum at nike.com
Mon Feb 15 18:57:13 UTC 2016 

Jakub,

I am very interested in your standalone HBAC PAM module if you think it
would apply in this situation.  I would be happy to test it out if helpful.

Thanks again for you help,

Warren Birnbaum

___________________
Warren Birnbaum : Infrastructure Services
Digital Linux Infrastructure Services
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697






On 2/15/16, 5:16 PM, "Jakub Hrozek" <jhrozek at redhat.com> wrote:

>On Mon, Feb 15, 2016 at 03:58:15PM +0000, Birnbaum, Warren (ETW) wrote:
>> Jakub,
>> 
>> We want to use password stored in AD and get a yes/no from the AD side.
>
>OK, I see. Yes, with IPA provider you would authenticate the IPA user
>against the IPA KDC.
>
>> My understanding (which is very limited) is that if we use the IPA
>> authentication then it resides in the local kerberos database.  Is that
>> not correct?  If I am completely off, how would I setup type of
>> authentication from IPA up?
>
>Normally with trusts.
>
>> 
>> Thanks again,
>> 
>> Warren
>> ___________________
>> Warren Birnbaum : Infrastructure Services
>> Digital Linux Infrastructure Services
>> Europe CDT Techn. Operations
>> Nike Inc. : Mobile +31 6 23902697
>> 
>> 
>> 
>> 
>> 
>> 
>> On 2/15/16, 4:08 PM, "Jakub Hrozek" <jhrozek at redhat.com> wrote:
>> 
>> >On Mon, Feb 15, 2016 at 11:24:08AM +0000, Birnbaum, Warren (ETW) wrote:
>> >> Hi Jakub,
>> >> 
>> >> Thanks but I have sudo working OK.
>> >
>> >I'm sorry, my fault..
>> >
>> >> What I am trying make work is HBAC.
>> >> That I can¹t get to work with the proxy hack.  Is there a way to do
>> >>that?
>> >
>> >I haven't tested that use-case, but from the code it looks like it
>> >wouldn't work, because the HBAC code tries to match the originalDN of
>> >the user as stored on the IPA server.
>> >
>> >I'm finishing a standalone HBAC PAM module that could help in setups
>> >like this, but more importantly -- why do you have the user proxied
>>from
>> >files? Isn't it better to just rely on sssd's caching and fetch the
>>user
>> >from IPA?
>>

More information about the Freeipa-users mailing list