Also for the last version 2.1.0 I realized that can be created with this:
cp templates/install/pam/ipsilon.pamd /etc/pam.d/ipsilon

Thanks & Regards.

-----Original Message-----
From: Alexander Bokovoy <> 
Sent: Wednesday, July 11, 2018 14:08
To: FreeIPA users list <>
Cc: Rob Crittenden <>; SOLER SANGUESA Miguel 
Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services where is 
used Ipsion

On ke, 11 heinä 2018, SOLER SANGUESA Miguel via FreeIPA-users wrote:
>I have added the service on IPA and changed on the HBAC rule form "any 
>service" to "ipsilon", but now I can not login on ipsilon. Also I've 
>checked that there is no '/etc/pam.d/ipsilon' file.

On my Ipsilon server (based on Fedora 27) I have:

# rpm -qf /etc/pam.d/ipsilon

# cat /etc/pam.d/ipsilon
auth       substack     password-auth
auth       include      postlogin
account    required
account    include      password-auth
password   include      password-auth
# close should be the first session rule
session    required close
session    required
# open should only be followed by sessions to be executed in the 
user context
session    required open
session    required
session    optional force revoke
session    include      password-auth
session    include      postlogin

>Thanks & Regards.
>-----Original Message-----
>From: Alexander Bokovoy <>
>Sent: Tuesday, July 10, 2018 15:31
>To: FreeIPA users list <>
>Cc: SOLER SANGUESA Miguel <>; Rob Crittenden 
>Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services 
>where is used Ipsion
>On ti, 10 heinä 2018, Rob Crittenden via FreeIPA-users wrote:
>>SOLER SANGUESA Miguel via FreeIPA-users wrote:
>>>RHEL 7.5 with IPA server 4.5.4
>>>RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL 
>>>repositories (v1.0.0) and added manually patch:
>>>I have configured Jira with the plugin for SAML2 (SAML Single Sign On
>>>(SSO) Jira, SAML/SSO
>>>o-jira-saml-sso>) and it works fine, when I try to login on Jira I’m
>>>redirected to Ipsilon server and when I put user/pass (using IPA 
>>>user) I log in.
>>>My problem is that I don’t know how to configure which users can log 
>>>in on the service. Right now all users able to login on the Ipsilon 
>>>server via “any service” can login.
>>>On Jira side I can create the users manually and configure that just 
>>>existing users can log in, but I would prefer not to manage users on 
>>>the service provider side.
>>>Also I want to add more services to Ipsilon, so not all users allowed 
>>>to log in on Ipsilon should log in on all services.
>>>If I can create a pam service for any of the services managed by 
>>>ipsilon, it would be perfect, as I could create HBAC rules for any 
>>>service and authorization would be manage just on IPA.
>>>Can anyone explain or give some documentation about this?
>>I forget what pam service is used by Ipsilon by default. I'd suggest 
>>you ask on the ipsilon mailing list or in #ipsilon on freenode.
>It is 'ipsilon'.
>/ Alexander Bokovoy
>Sr. Principal Software Engineer
>Security / Identity Management Engineering Red Hat Limited, Finland 
>FreeIPA-users mailing list --
>To unsubscribe send an email to 
>Fedora Code of Conduct:
>List Guidelines:
>List Archives: 

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering Red Hat Limited, Finland
FreeIPA-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:

Reply via email to