Jakub, We want to use password stored in AD and get a yes/no from the AD side. My understanding (which is very limited) is that if we use the IPA authentication then it resides in the local kerberos database. Is that not correct? If I am completely off, how would I setup type of authentication from IPA up?
Thanks again, Warren ___________________ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 2/15/16, 4:08 PM, "Jakub Hrozek" <jhro...@redhat.com> wrote: >On Mon, Feb 15, 2016 at 11:24:08AM +0000, Birnbaum, Warren (ETW) wrote: >> Hi Jakub, >> >> Thanks but I have sudo working OK. > >I'm sorry, my fault.. > >> What I am trying make work is HBAC. >> That I can¹t get to work with the proxy hack. Is there a way to do >>that? > >I haven't tested that use-case, but from the code it looks like it >wouldn't work, because the HBAC code tries to match the originalDN of >the user as stored on the IPA server. > >I'm finishing a standalone HBAC PAM module that could help in setups >like this, but more importantly -- why do you have the user proxied from >files? Isn't it better to just rely on sssd's caching and fetch the user >from IPA? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project