On (15/02/16 09:34), Birnbaum, Warren (ETW) wrote: >Hello, > >I would like to get freeipa to work with a proxy solution ( I currently have >this working with an active directory/no trust authentication and sudo but no >HBAC) including HBAC. I can get sudo to work but not HBAC. I see there is a >ticket for this as a new enhancement #4634 but wanted to confirm that there >isn't another way to accomplish this. > >Here is my current configuration for proxy and this works OK: > >[domain/mikey.com] >sudo_provider = ipa >ipa_domain = va2.b2c.mikey.com >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ipa_hostname = ip-10-12-177-28.va2.b2c.mikey.com >chpass_provider = ipa >ipa_server = _srv_, ip-10-12-177-24.va2.b2c.mikey.com >ldap_tls_cacert = /etc/ipa/ca.crt > >id_provider = proxy >proxy_lib_name = files >auth_provider = ldap >reconnection_retries = 3 >ldap_uri = ldap://adldaplb.mikey.com >ldap_search_base = dc=ad,dc=mikey,dc=com?subtree? >ldap_schema = AD >ldap_default_authtok_type = password >ldap_network_timeout = 120 >ldap_opt_timeout = 120 >ldap_search_timeout = 120 >ldap_id_use_start_tls = false >ldap_user_object_class = user >ldap_group_object_class = group >ldap_user_name = sAMAccountName >enumerate = true >ldap_referrals = true >ldap_tls_reqcert = allow >ldap_tls_cacertdir = /etc/openldap/cacerts >ldap_access_filter = * >case_sensitive = false >lookup_family_order = ipv4_only >dns_resolver_timeout = 30 >cache_credentials = false > This configuration file is a little bit suspicious to me. There is mixed/overriden id_provider ipa and proxy + some parts from AD.
HBAC can work only with IPA users or trusted AD users (IPA AD trust) HBAC cannot work with id_provider ldap, proxy or AD. You can achieve something similar with GPO and ad provider. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project