On Mon, May 11, 2015 at 08:52:08PM +0200, Vangass wrote:
> OK. But the answer granted/declined comes from IPA. So why IPA doesn't
> check its own HBAC rules at all?
> Maybe the line 'account      required      pam_sss.so' isn't
> necessary/required. I just want to do authentication by IPA HBAC rules.

Note that you can have setups when you don't authenticate via PAM
at all (for example when using Kerberos) yet you do authorization
(access control) using PAM. Authentication is not the correct place to
process HBAC rules.

In your case, nobody is arguing that the password used was correct --
authentication passed, the identity of the client was validated. The
application (tacacs) is supposed to do additional step, now that it
knows what user is attempting to log in -- verify authorization, fact
that the known user should be allowed in, with pam_acct_mgmt.

That's the why.

You could in theory force it to work by writing a wrapper PAM module
which would call both pam_sss's pam_sm_authenticate *and*
pam_sm_acct_mgmt for its pam_sm_authenticate call. But it would be
a hack, possibly with unexpected side effects.

Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to