On Mon, Feb 15, 2016 at 03:58:15PM +0000, Birnbaum, Warren (ETW) wrote:
> Jakub,
> 
> We want to use password stored in AD and get a yes/no from the AD side.

OK, I see. Yes, with IPA provider you would authenticate the IPA user
against the IPA KDC.

> My understanding (which is very limited) is that if we use the IPA
> authentication then it resides in the local kerberos database.  Is that
> not correct?  If I am completely off, how would I setup type of
> authentication from IPA up?

Normally with trusts.

> 
> Thanks again,
> 
> Warren
> ___________________
> Warren Birnbaum : Infrastructure Services
> Digital Linux Infrastructure Services
> Europe CDT Techn. Operations
> Nike Inc. : Mobile +31 6 23902697
> 
> 
> 
> 
> 
> 
> On 2/15/16, 4:08 PM, "Jakub Hrozek" <jhro...@redhat.com> wrote:
> 
> >On Mon, Feb 15, 2016 at 11:24:08AM +0000, Birnbaum, Warren (ETW) wrote:
> >> Hi Jakub,
> >> 
> >> Thanks but I have sudo working OK.
> >
> >I'm sorry, my fault..
> >
> >> What I am trying make work is HBAC.
> >> That I canĀ¹t get to work with the proxy hack.  Is there a way to do
> >>that?
> >
> >I haven't tested that use-case, but from the code it looks like it
> >wouldn't work, because the HBAC code tries to match the originalDN of
> >the user as stored on the IPA server.
> >
> >I'm finishing a standalone HBAC PAM module that could help in setups
> >like this, but more importantly -- why do you have the user proxied from
> >files? Isn't it better to just rely on sssd's caching and fetch the user
> >from IPA?
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to