We want to use password stored in AD and get a yes/no from the AD side.
My understanding (which is very limited) is that if we use the IPA
authentication then it resides in the local kerberos database.  Is that
not correct?  If I am completely off, how would I setup type of
authentication from IPA up?

Thanks again,

Warren Birnbaum : Infrastructure Services
Digital Linux Infrastructure Services
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697

On 2/15/16, 4:08 PM, "Jakub Hrozek" <jhro...@redhat.com> wrote:

>On Mon, Feb 15, 2016 at 11:24:08AM +0000, Birnbaum, Warren (ETW) wrote:
>> Hi Jakub,
>> Thanks but I have sudo working OK.
>I'm sorry, my fault..
>> What I am trying make work is HBAC.
>> That I canĀ¹t get to work with the proxy hack.  Is there a way to do
>I haven't tested that use-case, but from the code it looks like it
>wouldn't work, because the HBAC code tries to match the originalDN of
>the user as stored on the IPA server.
>I'm finishing a standalone HBAC PAM module that could help in setups
>like this, but more importantly -- why do you have the user proxied from
>files? Isn't it better to just rely on sssd's caching and fetch the user
>from IPA?

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to