Mariusz Stysiak via FreeIPA-users wrote: > Hello everyone, > > I have a nice and working IPA v3 with trust to AD set up. On one of our smtp > servers (with authentication against different LDAP via sssd) I have set a > saslauthd service which binds to our ipa server on 636/tcp using credentials > and certificate issued for specific ipa user. Sasl works perfectly well as > long as I try to authenticate ipa users (who can be found with ipa-user > command) even with 2FA enabled, yet it fails if I try to authenticate AD user > who was 'imported' into IPA via 'ipa group-add-member' command and 'external > group as a member of posix group' method. AD users can be seen using 'id' > command and can be allowed to log on linux servers, execute sudo commands > based on hbac rules and so on. Even freeradius with OTP works. Alas, no sasl. > I know that probably it would be wiser to set sasl to ask AD directly, but I > am just curious if it is possible to make it work via IPA.
You need to use SASL directly. IPA doesn't authenticate to AD, the user does. Then IPA resources are available to them via trust. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
