On Mon, Feb 15, 2016 at 03:58:15PM +0000, Birnbaum, Warren (ETW) wrote: > Jakub, > > We want to use password stored in AD and get a yes/no from the AD side.
OK, I see. Yes, with IPA provider you would authenticate the IPA user against the IPA KDC. > My understanding (which is very limited) is that if we use the IPA > authentication then it resides in the local kerberos database. Is that > not correct? If I am completely off, how would I setup type of > authentication from IPA up? Normally with trusts. > > Thanks again, > > Warren > ___________________ > Warren Birnbaum : Infrastructure Services > Digital Linux Infrastructure Services > Europe CDT Techn. Operations > Nike Inc. : Mobile +31 6 23902697 > > > > > > > On 2/15/16, 4:08 PM, "Jakub Hrozek" <[email protected]> wrote: > > >On Mon, Feb 15, 2016 at 11:24:08AM +0000, Birnbaum, Warren (ETW) wrote: > >> Hi Jakub, > >> > >> Thanks but I have sudo working OK. > > > >I'm sorry, my fault.. > > > >> What I am trying make work is HBAC. > >> That I canĀ¹t get to work with the proxy hack. Is there a way to do > >>that? > > > >I haven't tested that use-case, but from the code it looks like it > >wouldn't work, because the HBAC code tries to match the originalDN of > >the user as stored on the IPA server. > > > >I'm finishing a standalone HBAC PAM module that could help in setups > >like this, but more importantly -- why do you have the user proxied from > >files? Isn't it better to just rely on sssd's caching and fetch the user > >from IPA? > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
