On Mon, Feb 15, 2016 at 11:24:08AM +0000, Birnbaum, Warren (ETW) wrote:
> Hi Jakub,
> 
> Thanks but I have sudo working OK. 

I'm sorry, my fault..

> What I am trying make work is HBAC.
> That I canĀ¹t get to work with the proxy hack.  Is there a way to do that?

I haven't tested that use-case, but from the code it looks like it
wouldn't work, because the HBAC code tries to match the originalDN of
the user as stored on the IPA server.

I'm finishing a standalone HBAC PAM module that could help in setups
like this, but more importantly -- why do you have the user proxied from
files? Isn't it better to just rely on sssd's caching and fetch the user
from IPA?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to