On 04/20/2015 12:08 PM, Srdjan Dutina wrote:
Sorry for misunderstanding.
I understand HBAC rules will not work for Centos 5. I just wanted to
make sure disabling "allow all" rule and adding new HBAC rules won't
interfere with AD users logging on Centos 5.
CentOS 5 needs to point to compat tree for AD users to authenticate.
You need to use LDAP SSSD back end for that not IPA SSSD back end
(idenity_provider setting in sssd.conf).
Once you use LDAP back end you need to use some other access control
configuration not HBAC as HBAC comes when you use IPA SSSD back end only.
You can use ldap filter or simple acces provider or something other
option that is support in SSSD 1.5 against LDAP.
Does this make sense?
On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy <aboko...@redhat.com
On Mon, 20 Apr 2015, Srdjan Dutina wrote:
>Just found in
>sentence: "If you have HBAC's allow_all rule disabled, you will
>allow system-auth service on the FreeIPA master, so that
>the AD users can be performed."
>Is this true for FreeIPA 4.1.0 also and how could I do this?
Either you are reading it wrong or I don't get where you want to apply
HBAC rules because this is for IPA masters, not legacy clients per se.
Yes, you nede to create HBAC service named 'system-auth' and grant
access to it to AD users on IPA masters, but all it will allow you
authenticate AD users via compat tree.
If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD
cannot be checked by those rules.
/ Alexander Bokovoy
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project