On Mon, Feb 15, 2016 at 11:24:08AM +0000, Birnbaum, Warren (ETW) wrote: > Hi Jakub, > > Thanks but I have sudo working OK.
I'm sorry, my fault.. > What I am trying make work is HBAC. > That I canĀ¹t get to work with the proxy hack. Is there a way to do that? I haven't tested that use-case, but from the code it looks like it wouldn't work, because the HBAC code tries to match the originalDN of the user as stored on the IPA server. I'm finishing a standalone HBAC PAM module that could help in setups like this, but more importantly -- why do you have the user proxied from files? Isn't it better to just rely on sssd's caching and fetch the user from IPA? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
