OK. I understand. Thank You for an answer.
2015-05-12 9:39 GMT+02:00 Jan Pazdziora <jpazdzi...@redhat.com>: > On Mon, May 11, 2015 at 08:52:08PM +0200, Vangass wrote: > > OK. But the answer granted/declined comes from IPA. So why IPA doesn't > > check its own HBAC rules at all? > > Maybe the line 'account required pam_sss.so' isn't > > necessary/required. I just want to do authentication by IPA HBAC rules. > > Note that you can have setups when you don't authenticate via PAM > at all (for example when using Kerberos) yet you do authorization > (access control) using PAM. Authentication is not the correct place to > process HBAC rules. > > In your case, nobody is arguing that the password used was correct -- > authentication passed, the identity of the client was validated. The > application (tacacs) is supposed to do additional step, now that it > knows what user is attempting to log in -- verify authorization, fact > that the known user should be allowed in, with pam_acct_mgmt. > > That's the why. > > You could in theory force it to work by writing a wrapper PAM module > which would call both pam_sss's pam_sm_authenticate *and* > pam_sm_acct_mgmt for its pam_sm_authenticate call. But it would be > a hack, possibly with unexpected side effects. > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project