Thanks for the info. Unfortunately my version doesn’t have it, but googling I 
found this:
https://bugzilla.redhat.com/show_bug.cgi?id=1348585

In my version is used 'remote' service.

Thanks & Regards.


-----Original Message-----
From: Alexander Bokovoy <aboko...@redhat.com> 
Sent: Wednesday, July 11, 2018 14:08
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Rob Crittenden <rcrit...@redhat.com>; SOLER SANGUESA Miguel 
<sol...@unicc.org>
Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services where is 
used Ipsion

On ke, 11 heinä 2018, SOLER SANGUESA Miguel via FreeIPA-users wrote:
>I have added the service on IPA and changed on the HBAC rule form "any 
>service" to "ipsilon", but now I can not login on ipsilon. Also I've 
>checked that there is no '/etc/pam.d/ipsilon' file.

On my Ipsilon server (based on Fedora 27) I have:

# rpm -qf /etc/pam.d/ipsilon
ipsilon-base-2.0.2-6.fc27.noarch

# cat /etc/pam.d/ipsilon
#%PAM-1.0
auth       substack     password-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the 
user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin


>
>Thanks & Regards.
>
>-----Original Message-----
>From: Alexander Bokovoy <aboko...@redhat.com>
>Sent: Tuesday, July 10, 2018 15:31
>To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
>Cc: SOLER SANGUESA Miguel <sol...@unicc.org>; Rob Crittenden 
><rcrit...@redhat.com>
>Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services 
>where is used Ipsion
>
>On ti, 10 heinä 2018, Rob Crittenden via FreeIPA-users wrote:
>>SOLER SANGUESA Miguel via FreeIPA-users wrote:
>>>Hello,
>>>
>>>RHEL 7.5 with IPA server 4.5.4
>>>
>>>RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL 
>>>repositories (v1.0.0) and added manually patch:
>>>https://pagure.io/ipsilon/pull-request/44#request_diff
>>>
>>>I have configured Jira with the plugin for SAML2 (SAML Single Sign On
>>>(SSO) Jira, SAML/SSO
>>><https://marketplace.atlassian.com/apps/1212130/saml-single-sign-on-s
>>>s
>>>o-jira-saml-sso>) and it works fine, when I try to login on Jira I’m
>>>redirected to Ipsilon server and when I put user/pass (using IPA 
>>>user) I log in.
>>>
>>>My problem is that I don’t know how to configure which users can log 
>>>in on the service. Right now all users able to login on the Ipsilon 
>>>server via “any service” can login.
>>>
>>>On Jira side I can create the users manually and configure that just 
>>>existing users can log in, but I would prefer not to manage users on 
>>>the service provider side.
>>>
>>>Also I want to add more services to Ipsilon, so not all users allowed 
>>>to log in on Ipsilon should log in on all services.
>>>
>>>If I can create a pam service for any of the services managed by 
>>>ipsilon, it would be perfect, as I could create HBAC rules for any 
>>>service and authorization would be manage just on IPA.
>>>
>>>Can anyone explain or give some documentation about this?
>>
>>I forget what pam service is used by Ipsilon by default. I'd suggest 
>>you ask on the ipsilon mailing list or in #ipsilon on freenode.
>It is 'ipsilon'.
>
>
>--
>/ Alexander Bokovoy
>Sr. Principal Software Engineer
>Security / Identity Management Engineering Red Hat Limited, Finland 
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>To unsubscribe send an email to 
>freeipa-users-le...@lists.fedorahosted.org
>Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives: 
>https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedor
>ahosted.org/message/C43VGBU2HELLOTQR2FMYB4UIG4JKZP4L/

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OR3RM25UF4WIPVRTXHPYT4RLM3FSUF7X/

Reply via email to