On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
Hi,

I was reading https://www.freeipa.org/page/Apache_Group_Based_Authorization but failed to implement that for AD users. The problem is that Kerberos authenticates myuser0...@mywindows.domain.at but there is no corresponding entry in on the AD domain controller. The available user attributes in the LDAP directory look like 'myuser0815' (samaccountname) or 'myuser0...@someupnsuffix.domain.at' (userprincipalname).

GssapiLocalName or KrbLocalUserMapping would only map to locally existing users, right? I tried them both and still saw 'myuser0...@mywindows.domain.at' leading to:

[Tue Sep 26 17:14:40.758545 2017] [authnz_ldap:debug] [pid 11160] mod_authnz_ldap.c(824): [client 10.66.58.176:32402] AH01710: ldap authorize: Creating LDAP req structure [Tue Sep 26 17:14:40.793095 2017] [authnz_ldap:debug] [pid 11160] mod_authnz_ldap.c(838): [client 10.66.58.176:32402] AH01711: auth_ldap authorise: User DN not found, User not found

Any ideas what I could try next?
Don't use mod_authnz_ldap, it doesn't have any clue about real
complexity like the above.

A proper solution would be to use mod_authnz_pam and allow pam_sss to
handle actual HBAC checks. See https://www.adelton.com/apache/mod_authnz_pam/




--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to