Also for the last version 2.1.0 I realized that can be created with this: cp templates/install/pam/ipsilon.pamd /etc/pam.d/ipsilon
Thanks & Regards. ______________________________ -----Original Message----- From: Alexander Bokovoy <aboko...@redhat.com> Sent: Wednesday, July 11, 2018 14:08 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Rob Crittenden <rcrit...@redhat.com>; SOLER SANGUESA Miguel <sol...@unicc.org> Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion On ke, 11 heinä 2018, SOLER SANGUESA Miguel via FreeIPA-users wrote: >I have added the service on IPA and changed on the HBAC rule form "any >service" to "ipsilon", but now I can not login on ipsilon. Also I've >checked that there is no '/etc/pam.d/ipsilon' file. On my Ipsilon server (based on Fedora 27) I have: # rpm -qf /etc/pam.d/ipsilon ipsilon-base-2.0.2-6.fc27.noarch # cat /etc/pam.d/ipsilon #%PAM-1.0 auth substack password-auth auth include postlogin account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin > >Thanks & Regards. > >-----Original Message----- >From: Alexander Bokovoy <aboko...@redhat.com> >Sent: Tuesday, July 10, 2018 15:31 >To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> >Cc: SOLER SANGUESA Miguel <sol...@unicc.org>; Rob Crittenden ><rcrit...@redhat.com> >Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services >where is used Ipsion > >On ti, 10 heinä 2018, Rob Crittenden via FreeIPA-users wrote: >>SOLER SANGUESA Miguel via FreeIPA-users wrote: >>>Hello, >>> >>>RHEL 7.5 with IPA server 4.5.4 >>> >>>RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL >>>repositories (v1.0.0) and added manually patch: >>>https://pagure.io/ipsilon/pull-request/44#request_diff >>> >>>I have configured Jira with the plugin for SAML2 (SAML Single Sign On >>>(SSO) Jira, SAML/SSO >>><https://marketplace.atlassian.com/apps/1212130/saml-single-sign-on-s >>>s >>>o-jira-saml-sso>) and it works fine, when I try to login on Jira I’m >>>redirected to Ipsilon server and when I put user/pass (using IPA >>>user) I log in. >>> >>>My problem is that I don’t know how to configure which users can log >>>in on the service. Right now all users able to login on the Ipsilon >>>server via “any service” can login. >>> >>>On Jira side I can create the users manually and configure that just >>>existing users can log in, but I would prefer not to manage users on >>>the service provider side. >>> >>>Also I want to add more services to Ipsilon, so not all users allowed >>>to log in on Ipsilon should log in on all services. >>> >>>If I can create a pam service for any of the services managed by >>>ipsilon, it would be perfect, as I could create HBAC rules for any >>>service and authorization would be manage just on IPA. >>> >>>Can anyone explain or give some documentation about this? >> >>I forget what pam service is used by Ipsilon by default. I'd suggest >>you ask on the ipsilon mailing list or in #ipsilon on freenode. >It is 'ipsilon'. > > >-- >/ Alexander Bokovoy >Sr. Principal Software Engineer >Security / Identity Management Engineering Red Hat Limited, Finland >_______________________________________________ >FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >To unsubscribe send an email to >freeipa-users-le...@lists.fedorahosted.org >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: >https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedor >ahosted.org/message/C43VGBU2HELLOTQR2FMYB4UIG4JKZP4L/ -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/LOWL2CINHMTPLLBT5UYUHLYJ5ARW7ZRE/