On 09/23/2014 11:54 AM, Loris Santamaria wrote:
Hi, I'm setting up a squid proxy in a environment with a trust
relationship between IPA and AD.

The machine where squid is running belongs to the IPA domain, users may
belong to AD or to IPA and in each one of the domains there are groups
that define the level of internet access of their members.

For simplicity's sake, let's say that there is only one group in each
domain called "internet_access". Its member should be granted permission
by squid.

In IPA I created an external group called internet_access_ad, whose
member is internet_acc...@ad.domain.com, so if the user is a member of
internet_access in AD it should be a member of internet_access in IPA,
thanks to the trust relationship.

The authentication part works beautifully, IPA and AD users are
recognized by the squid proxy via negotiate auth, but the authorization
part is another story.

Since the remote user hasn't logged in vía console or ssh on the server
where squid is running, SSSD ignores its group membership, so one can't
use squid's pam_group helper to determine if the user is in the
internet_acc...@ipa.domain.com group.

Trying to lookup for membership via ldap in the compat tree doesn't
really work (see my previous mail on the subject). Also, it won't work
when the realm name is in upper case, although this should be really
easy to solve in the squid helper.

For the time being I will resort to make two ldap queries, one on IPA
and one on AD, but it seems to me that the proper way to go would be to
decode the PAC and get authorization info from there, or have a way to
query SSSD for complete group membership of a user even if he or she
hasn't logged in on a server.

How could SSSD/IPA could help to solve this fairly common need (querying
user membership from an app)?
I think this is the issue that you are describing.
Patches are on the list and targeting 4.1.x and 1.12.x

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to