[Freeipa-users] security, sssd, pam and web apps

[Lachlan Musicman]

Hi,

We have a new rstudio server that we'd like to have FreeIPA manage Auth on.

sssd works - I can login with my appropriate credentials via cli, but the
web interface doesn't accept the creds.

I've read http://www.freeipa.org/page/Web_App_Authentication#PAM_service
but we don't want to create a HBAC service - we aren't having much luck
with HBAC anyway (still working on that) but we also want all users to have
access to this web app.

The original /etc/pam.d/rstudio looks like:

#%PAM-1.0
auth      requisite      pam_succeed_if.so uid >= 500 quiet
auth      required       pam_unix.so nodelay

account   required       pam_unix.so


I've changed it to look like:

#%PAM-1.0
auth      required       pam_sss.so

account   required       pam_sss.so

This works - but does it create any other security issues?

cheers
L.


------
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170118/5fb3ed82/attachment.htm>