Rob, thank you for your prompt answer. Could you elaborate a bit, just so I could have a proper understanding of what is going on when authentication against IPA happens? I thought that when AD user tries to log into Linux server, credentials are sent to IPA, then forwarded to AD and IPA trusts the answer received from AD controller (user authenticated or not). In the next step, basing on its own resources (e.g. group privileges), IPA evaluates if this particular user (already authenticated by the AD) is allowed to log into the server X. Is this correct? If so, I thought, IPA gets the information 'user authenticated or not' even if authentication is done by the AD and based on this information should be able to answer questions sent by saslauthd. Or maybe saslauthd is more like a 'ldapsearch + password check' and its requests are answered only within specific LDAP set in the sasl config (and since he LDAP is not the IPA part that forwards the auth request to the AD, it cannot get any info from it?)
I understand that my question might seem purely academic, but a good understanding of how it all works under the hood never hurts and could save a lot of time one day. regards, M _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
