Sam Morris via FreeIPA-users wrote: > On 28/02/2024 17:23, Sam Morris via FreeIPA-users wrote: >> Another approach is possible, where you don't configure the >> authentication indicator requirement on the host/service objects >> within the directory; instead, the hosts/services are themselves >> responsible for examining the authentication indicators on the tickets >> that clients present, and enforcing a policy. >> >> For authentication to hosts, this can be done with pam_sss_gss.so. >> I've not seen it implemented anywhere else, so for cases such as >> having Apache check the client's ticket for an 'otp' indicator, I >> don't think that can be done yet. > > Correction: mod_auth_gssapi has a GssapiRequiredNameAttributes directive > & it looks like this can be used to require particular auth-indicators > attributes on clients' service tickets: > > https://github.com/gssapi/mod_auth_gssapi?tab=readme-ov-file#gssapirequirednameattributes
FYI a related PR https://github.com/freeipa/freeipa/pull/7200 rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
