OK. I understand.
Thank You for an answer.

2015-05-12 9:39 GMT+02:00 Jan Pazdziora <jpazdzi...@redhat.com>:

> On Mon, May 11, 2015 at 08:52:08PM +0200, Vangass wrote:
> > OK. But the answer granted/declined comes from IPA. So why IPA doesn't
> > check its own HBAC rules at all?
> > Maybe the line 'account      required      pam_sss.so' isn't
> > necessary/required. I just want to do authentication by IPA HBAC rules.
>
> Note that you can have setups when you don't authenticate via PAM
> at all (for example when using Kerberos) yet you do authorization
> (access control) using PAM. Authentication is not the correct place to
> process HBAC rules.
>
> In your case, nobody is arguing that the password used was correct --
> authentication passed, the identity of the client was validated. The
> application (tacacs) is supposed to do additional step, now that it
> knows what user is attempting to log in -- verify authorization, fact
> that the known user should be allowed in, with pam_acct_mgmt.
>
> That's the why.
>
> You could in theory force it to work by writing a wrapper PAM module
> which would call both pam_sss's pam_sm_authenticate *and*
> pam_sm_acct_mgmt for its pam_sm_authenticate call. But it would be
> a hack, possibly with unexpected side effects.
>
> --
> Jan Pazdziora
> Senior Principal Software Engineer, Identity Management Engineering, Red
> Hat
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to