Thanks Lukas. Unfortunately setting up a IPA Ad Trust is something not possible within our organization. Is it then fair to say that waiting for Ticket #4623 is our only option? https://fedorahosted.org/freeipa/ticket/4634
Thanks, Warren ___________________ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 2/15/16, 12:36 PM, "Lukas Slebodnik" <[email protected]> wrote: >On (15/02/16 09:34), Birnbaum, Warren (ETW) wrote: >>Hello, >> >>I would like to get freeipa to work with a proxy solution ( I currently >>have this working with an active directory/no trust authentication and >>sudo but no HBAC) including HBAC. I can get sudo to work but not HBAC. >>I see there is a ticket for this as a new enhancement #4634 but wanted >>to confirm that there isn't another way to accomplish this. >> >>Here is my current configuration for proxy and this works OK: >> >>[domain/mikey.com] >>sudo_provider = ipa >>ipa_domain = va2.b2c.mikey.com >>id_provider = ipa >>auth_provider = ipa >>access_provider = ipa >>ipa_hostname = ip-10-12-177-28.va2.b2c.mikey.com >>chpass_provider = ipa >>ipa_server = _srv_, ip-10-12-177-24.va2.b2c.mikey.com >>ldap_tls_cacert = /etc/ipa/ca.crt >> >>id_provider = proxy >>proxy_lib_name = files >>auth_provider = ldap >>reconnection_retries = 3 >>ldap_uri = ldap://adldaplb.mikey.com >>ldap_search_base = dc=ad,dc=mikey,dc=com?subtree? >>ldap_schema = AD >>ldap_default_authtok_type = password >>ldap_network_timeout = 120 >>ldap_opt_timeout = 120 >>ldap_search_timeout = 120 >>ldap_id_use_start_tls = false >>ldap_user_object_class = user >>ldap_group_object_class = group >>ldap_user_name = sAMAccountName >>enumerate = true >>ldap_referrals = true >>ldap_tls_reqcert = allow >>ldap_tls_cacertdir = /etc/openldap/cacerts >>ldap_access_filter = * >>case_sensitive = false >>lookup_family_order = ipv4_only >>dns_resolver_timeout = 30 >>cache_credentials = false >> >This configuration file is a little bit suspicious to me. >There is mixed/overriden id_provider ipa and proxy + some parts from AD. > >HBAC can work only with IPA users or trusted AD users (IPA AD trust) >HBAC cannot work with id_provider ldap, proxy or AD. >You can achieve something similar with GPO and ad provider. > >LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
