On Mon, 11 May 2015, Vangass wrote:
OK. But the answer granted/declined comes from IPA. So why IPA doesn't check its own HBAC rules at all? Maybe the line 'account required pam_sss.so' isn't necessary/required. I just want to do authentication by IPA HBAC rules.
Authentication and account management stages are different in PAM. When authentication is performed, it is separate step. When account management is performed, it is a separate step as well.
HBAC rules are checked at account management stage because this is where all such checks are done traditionally in PAM. If you read documentation, it states: ======================================================================= The pam_acct_mgmt function is used to determine if the users account is valid. It checks for authentication token and account expiration and verifies access restrictions. It is typically called after the user has been authenticated. ======================================================================= If application doesn't call into pam_acct_mgmt, it is not using PAM stack separation of duties properly.  http://linux.die.net/man/3/pam_acct_mgmt -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project