On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
I was reading
failed to implement that for AD users. The problem is that Kerberos
authenticates myuser0...@mywindows.domain.at but there is no
corresponding entry in on the AD domain controller. The available user
attributes in the LDAP directory look like 'myuser0815'
(samaccountname) or 'myuser0...@someupnsuffix.domain.at'
GssapiLocalName or KrbLocalUserMapping would only map to locally
existing users, right? I tried them both and still saw
'myuser0...@mywindows.domain.at' leading to:
[Tue Sep 26 17:14:40.758545 2017] [authnz_ldap:debug] [pid 11160]
mod_authnz_ldap.c(824): [client 10.66.58.176:32402] AH01710: ldap
authorize: Creating LDAP req structure
[Tue Sep 26 17:14:40.793095 2017] [authnz_ldap:debug] [pid 11160]
mod_authnz_ldap.c(838): [client 10.66.58.176:32402] AH01711: auth_ldap
authorise: User DN not found, User not found
Any ideas what I could try next?
Don't use mod_authnz_ldap, it doesn't have any clue about real
complexity like the above.
A proper solution would be to use mod_authnz_pam and allow pam_sss to
handle actual HBAC checks. See https://www.adelton.com/apache/mod_authnz_pam/
/ Alexander Bokovoy
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org