I was trying Freeipa as an addition and (maybe) future replacement for the current SSO solution (custom and only for web apps).
I was able to authenticate (via pam_exec) LDAP users on the legacy system.
My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP users not created by IPA.

I enabled migration mode in Freeipa, so that authenticated users should get Kerberos hash created upon first login, but I don't know how to make users login without creating them in advance.

Is there a (suggested) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login?

My workaround is to create user in the pam_exec-uted script, but I don't think this is a clean way of doing it, and I have to use LDAP as first login method.

Thank you in advance for any link, suggestion or solution.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to