On 04/20/2015 12:08 PM, Srdjan Dutina wrote:
Sorry for misunderstanding.

I understand HBAC rules will not work for Centos 5. I just wanted to make sure disabling "allow all" rule and adding new HBAC rules won't interfere with AD users logging on Centos 5.

To clarify:
CentOS 5 needs to point to compat tree for AD users to authenticate.
You need to use LDAP SSSD back end for that not IPA SSSD back end (idenity_provider setting in sssd.conf). Once you use LDAP back end you need to use some other access control configuration not HBAC as HBAC comes when you use IPA SSSD back end only. You can use ldap filter or simple acces provider or something other option that is support in SSSD 1.5 against LDAP.

Does this make sense?

On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy <aboko...@redhat.com <mailto:aboko...@redhat.com>> wrote:

    On Mon, 20 Apr 2015, Srdjan Dutina wrote:
    >Just found in
    the next
    >sentence: "If you have HBAC's allow_all rule disabled, you will
    need to
    >allow system-auth service on the FreeIPA  master, so that
    authentication of
    >the AD users can be performed."
    >Is this true for FreeIPA 4.1.0 also and how could I do this?
    Either you are reading it wrong or I don't get where you want to apply
    HBAC rules because this is for IPA masters, not legacy clients per se.
    Yes, you nede to create HBAC service named 'system-auth' and grant
    access to it to AD users on IPA masters, but all it will allow you
    is to
    authenticate AD users via compat tree.

    If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD
    cannot be checked by those rules.

    / Alexander Bokovoy

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to