1) HBAC update, Ive never seen a delay.....so seems to be a few seconds.....so
Im not sure why you ned to restart sssd.
2) I also I think have asked on that.....not sure what you are aiming to
achieve/mean....with having no kdc / ldap stores. I'd like a read only slave
capability for out in the dmz...and possibly only export certain groups from
the read/write out to the slave....but maybe Im being overly paranoid....but I
think AD2008r2? can do that.
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Cam McK [tom...@cam34.endjunk.com]
Sent: Friday, 8 June 2012 1:22 p.m.
Subject: [Freeipa-users] HBAC rule refreshes and read-only slaves
Thanks for an awesome product! I have two questions that I can't seem to find
1). How long is the delay between changing a HBAC rule and it coming into
affect on the host machine?
Currently this information only seems to be updated on the host after an
'service sssd reload/restart' also are the HBAC access rules are stored within
2). We would also like to use FreeIPA in a trusted network but then have
perhaps a read-only slave sitting in DMZ with the possibility of not containing
the KDC or LDAP password stores on it, is this possible?
(Basically authentication being done by a different PAM module, but pam_sss.so
still allowing HBAC via the PAM 'account' directive.)
Is it possible to have a 'regular' LDAP directory (in the DMZ) just slurping
down the required LDAP info?
Freeipa-users mailing list