On Mon, 11 May 2015, Vangass wrote:
OK. But the answer granted/declined comes from IPA. So why IPA doesn't
check its own HBAC rules at all?
Maybe the line 'account      required      pam_sss.so' isn't
necessary/required. I just want to do authentication by IPA HBAC rules.
Authentication and account management stages are different in PAM. When
authentication is performed, it is separate step. When account
management is performed, it is a separate step as well.

HBAC rules are checked at account management stage because this is where
all such checks are done traditionally in PAM. If you read
documentation[1], it states:
The pam_acct_mgmt function is used to determine if the users account is
valid. It checks for authentication token and account expiration and
verifies access restrictions. It is typically called after the user has
been authenticated.

If application doesn't call into pam_acct_mgmt, it is not using PAM
stack separation of duties properly.

[1] http://linux.die.net/man/3/pam_acct_mgmt

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to