On 2017-09-28 10:19, Alexander Bokovoy via FreeIPA-users wrote:
Don't use mod_authnz_ldap, it doesn't have any clue about real
complexity like the above.

A proper solution would be to use mod_authnz_pam and allow pam_sss to
handle actual HBAC checks. See https://www.adelton.com/apache/mod_authnz_pam/

Wouldn't it be sufficient to use

Require pam-account system-auth

because on a an ipa client, there is already pam_sss.so in the system-auth pam service file? Or am I missing the point here?


FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to