On ke, 11 heinä 2018, SOLER SANGUESA Miguel via FreeIPA-users wrote:
I have added the service on IPA and changed on the HBAC rule form "any
service" to "ipsilon", but now I can not login on ipsilon. Also I've
checked that there is no '/etc/pam.d/ipsilon' file.
On my Ipsilon server (based on Fedora 27) I have:
# rpm -qf /etc/pam.d/ipsilon
ipsilon-base-2.0.2-6.fc27.noarch
# cat /etc/pam.d/ipsilon
#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the
user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
Thanks & Regards.
-----Original Message-----
From: Alexander Bokovoy <aboko...@redhat.com>
Sent: Tuesday, July 10, 2018 15:31
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: SOLER SANGUESA Miguel <sol...@unicc.org>; Rob Crittenden
<rcrit...@redhat.com>
Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services where is
used Ipsion
On ti, 10 heinä 2018, Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
RHEL 7.5 with IPA server 4.5.4
RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL
repositories (v1.0.0) and added manually patch:
https://pagure.io/ipsilon/pull-request/44#request_diff
I have configured Jira with the plugin for SAML2 (SAML Single Sign On
(SSO) Jira, SAML/SSO
<https://marketplace.atlassian.com/apps/1212130/saml-single-sign-on-ss
o-jira-saml-sso>) and it works fine, when I try to login on Jira I’m
redirected to Ipsilon server and when I put user/pass (using IPA user)
I log in.
My problem is that I don’t know how to configure which users can log
in on the service. Right now all users able to login on the Ipsilon
server via “any service” can login.
On Jira side I can create the users manually and configure that just
existing users can log in, but I would prefer not to manage users on
the service provider side.
Also I want to add more services to Ipsilon, so not all users allowed
to log in on Ipsilon should log in on all services.
If I can create a pam service for any of the services managed by
ipsilon, it would be perfect, as I could create HBAC rules for any
service and authorization would be manage just on IPA.
Can anyone explain or give some documentation about this?
I forget what pam service is used by Ipsilon by default. I'd suggest
you ask on the ipsilon mailing list or in #ipsilon on freenode.
It is 'ipsilon'.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/C43VGBU2HELLOTQR2FMYB4UIG4JKZP4L/
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/2G33WBBO7VX34PGFNFFEOJ6JBA65YH5S/
