1) HBAC update, Ive never seen a delay.....so seems to be a few seconds.....so 
Im not sure why you ned to restart sssd.

2) I also I think have asked on that.....not sure what you are aiming to 
achieve/mean....with having no kdc / ldap stores. I'd like a read only slave 
capability for out in the dmz...and possibly only export certain groups from 
the read/write out to the slave....but maybe Im being overly paranoid....but I 
think AD2008r2? can do that.


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Cam McK [tom...@cam34.endjunk.com]
Sent: Friday, 8 June 2012 1:22 p.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] HBAC rule refreshes and read-only slaves


Thanks for an awesome product! I have two questions that I can't seem to find 
answers for...

1). How long is the delay between changing a HBAC rule and it coming into 
affect on the host machine?
Currently this information only seems to be updated on the host after an 
'service sssd reload/restart' also are the HBAC access rules are stored within 
LDAP Directory?

2). We would also like to use FreeIPA in a trusted network but then have 
perhaps a read-only slave sitting in DMZ with the possibility of not containing 
the KDC or LDAP password stores on it, is this possible?
 (Basically authentication being done by a different PAM module, but pam_sss.so 
still allowing HBAC via the PAM 'account' directive.)
Is it possible to have a 'regular' LDAP directory (in the DMZ) just slurping 
down the required LDAP info?

Many Thanks

Freeipa-users mailing list

Reply via email to