On Mon, Jun 29, 2020 at 02:02:58PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On ma, 29 kesÃ?? 2020, Dominik Vogt via FreeIPA-users wrote: > > In our setup, a service is running on some server machine, say, > > "sample/servername.domain" and a client for that service is > > running on a workstation (using the sample gssapi client and > > server code from the kerberos sources). Now, what is the proper > > way to do this in freeipa? > > > > 1. Allow users foo and bar to log in to the workstation but to no > > other machine of the kerberos real. > > 2. Deny access to sample/servername.domain from any host except > > from the workstation. > > 3. Allow user foo access the service. > > 4. Deny user bar access the service. > > 5. Deny both users access to anything else on the server. ... > > A recommended way is to teach your application to use PAM for > authorization and set PAM configuration to use pam_sss.so for session > and access checks. SSSD will handle HBAC rules application > automatically once your app will try to do access check for a user.
Thanks for the info. We now have a sample client-server that uses gssapi to connect, and a sample program that does authorization via pam. So, the complete solution would be: * Use gssapi from the sample program to connect the client with the server and authenticate the user. * Somehow extract the (authenticated) username from the connection established by gssapi. * Pass the username to pam_authenticate(). * Set up the pam config file for the service to use pam_sss to check, say, that the user in a certain group that ist allowed. Correct? Is gssapi a sensible choice of programming interface to implement this, or should one rather use a higher level library like sasl? Ciao Dominik ^_^ ^_^ -- Dominik Vogt _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
