[Freeipa-users] FreeIPA 4.2 on CentOS 7.2 restricts an access to krb* attributes
Alexander Bokovoy
abokovoy at redhat.com
Tue Jun 7 13:40:29 UTC 2016
On Tue, 07 Jun 2016, Konstantin M. Khankin wrote:
>HI!
>
>I used to run FreeIPA 3.0 on CentOS 6 but recently upgraded this setup to
>FreeIPA 4.2 on CentOS 7.2. And I got 2 my applications failing, because
>they were accessing LDAP fields krb* (one by itself, another through
>mod_lookup_identity). For the one which makes LDAP requests by its own I
>created an account and LDAP happily gives an access to krb* fields once
>that app makes simple bind
FreeIPA 4.x has enhanced ACIs but it mostly means there are less
attributes accessible to non-authenticated (anonymous) connections. Once
you are authenticated, most of the attributes which were accessed by
anonymous connections before are now available.
>But with the one which relies on mod_lookup_identity I'm having troubles.
>Even though SSSD is being authenticated through GSSAPI, LDAP does not give
>an access to krb* fields. I tried to create a separate service record for
>SSSD - no change. And I couldn't make SSSD do simple bind instead of using
>GSSAPI. I tried to setup FreeIPA so that by default it gives an access to
>krb* fields, but web interface rejected that change
>
>Could you please help me with this issue? How can I control this behavior
>properly, not with ugly hacks?
Can you show your SSSD configuration? host/ principals should be just
fine to access krb* attributes.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list