Unfortunately setting up a IPA Ad Trust is something not possible within
our organization. Is it then fair to say that waiting for Ticket #4623 is
our only option? https://fedorahosted.org/freeipa/ticket/4634
Warren Birnbaum : Infrastructure Services
Digital Linux Infrastructure Services
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697
On 2/15/16, 12:36 PM, "Lukas Slebodnik" <lsleb...@redhat.com> wrote:
>On (15/02/16 09:34), Birnbaum, Warren (ETW) wrote:
>>I would like to get freeipa to work with a proxy solution ( I currently
>>have this working with an active directory/no trust authentication and
>>sudo but no HBAC) including HBAC. I can get sudo to work but not HBAC.
>>I see there is a ticket for this as a new enhancement #4634 but wanted
>>to confirm that there isn't another way to accomplish this.
>>Here is my current configuration for proxy and this works OK:
>>sudo_provider = ipa
>>ipa_domain = va2.b2c.mikey.com
>>id_provider = ipa
>>auth_provider = ipa
>>access_provider = ipa
>>ipa_hostname = ip-10-12-177-28.va2.b2c.mikey.com
>>chpass_provider = ipa
>>ipa_server = _srv_, ip-10-12-177-24.va2.b2c.mikey.com
>>ldap_tls_cacert = /etc/ipa/ca.crt
>>id_provider = proxy
>>proxy_lib_name = files
>>auth_provider = ldap
>>reconnection_retries = 3
>>ldap_uri = ldap://adldaplb.mikey.com
>>ldap_search_base = dc=ad,dc=mikey,dc=com?subtree?
>>ldap_schema = AD
>>ldap_default_authtok_type = password
>>ldap_network_timeout = 120
>>ldap_opt_timeout = 120
>>ldap_search_timeout = 120
>>ldap_id_use_start_tls = false
>>ldap_user_object_class = user
>>ldap_group_object_class = group
>>ldap_user_name = sAMAccountName
>>enumerate = true
>>ldap_referrals = true
>>ldap_tls_reqcert = allow
>>ldap_tls_cacertdir = /etc/openldap/cacerts
>>ldap_access_filter = *
>>case_sensitive = false
>>lookup_family_order = ipv4_only
>>dns_resolver_timeout = 30
>>cache_credentials = false
>This configuration file is a little bit suspicious to me.
>There is mixed/overriden id_provider ipa and proxy + some parts from AD.
>HBAC can work only with IPA users or trusted AD users (IPA AD trust)
>HBAC cannot work with id_provider ldap, proxy or AD.
>You can achieve something similar with GPO and ad provider.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project