I was trying Freeipa as an addition and (maybe) future replacement for
the current SSO solution (custom and only for web apps).
I was able to authenticate (via pam_exec) LDAP users on the legacy system.
My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP
users not created by IPA.
I enabled migration mode in Freeipa, so that authenticated users should
get Kerberos hash created upon first login, but I don't know how to make
users login without creating them in advance.
Is there a (suggested) way to let users authenticate via Kerberos and
create users authenticated by PAM upon first login?
My workaround is to create user in the pam_exec-uted script, but I don't
think this is a clean way of doing it, and I have to use LDAP as first
Thank you in advance for any link, suggestion or solution.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project