On Mon, May 11, 2015 at 08:52:08PM +0200, Vangass wrote: > OK. But the answer granted/declined comes from IPA. So why IPA doesn't > check its own HBAC rules at all? > Maybe the line 'account required pam_sss.so' isn't > necessary/required. I just want to do authentication by IPA HBAC rules.
Note that you can have setups when you don't authenticate via PAM at all (for example when using Kerberos) yet you do authorization (access control) using PAM. Authentication is not the correct place to process HBAC rules. In your case, nobody is arguing that the password used was correct -- authentication passed, the identity of the client was validated. The application (tacacs) is supposed to do additional step, now that it knows what user is attempting to log in -- verify authorization, fact that the known user should be allowed in, with pam_acct_mgmt. That's the why. You could in theory force it to work by writing a wrapper PAM module which would call both pam_sss's pam_sm_authenticate *and* pam_sm_acct_mgmt for its pam_sm_authenticate call. But it would be a hack, possibly with unexpected side effects. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project