On Mon, Feb 15, 2016 at 03:58:15PM +0000, Birnbaum, Warren (ETW) wrote:
> We want to use password stored in AD and get a yes/no from the AD side.
OK, I see. Yes, with IPA provider you would authenticate the IPA user
against the IPA KDC.
> My understanding (which is very limited) is that if we use the IPA
> authentication then it resides in the local kerberos database. Is that
> not correct? If I am completely off, how would I setup type of
> authentication from IPA up?
Normally with trusts.
> Thanks again,
> Warren Birnbaum : Infrastructure Services
> Digital Linux Infrastructure Services
> Europe CDT Techn. Operations
> Nike Inc. : Mobile +31 6 23902697
> On 2/15/16, 4:08 PM, "Jakub Hrozek" <jhro...@redhat.com> wrote:
> >On Mon, Feb 15, 2016 at 11:24:08AM +0000, Birnbaum, Warren (ETW) wrote:
> >> Hi Jakub,
> >> Thanks but I have sudo working OK.
> >I'm sorry, my fault..
> >> What I am trying make work is HBAC.
> >> That I can¹t get to work with the proxy hack. Is there a way to do
> >I haven't tested that use-case, but from the code it looks like it
> >wouldn't work, because the HBAC code tries to match the originalDN of
> >the user as stored on the IPA server.
> >I'm finishing a standalone HBAC PAM module that could help in setups
> >like this, but more importantly -- why do you have the user proxied from
> >files? Isn't it better to just rely on sssd's caching and fetch the user
> >from IPA?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project