Jakub, I am very interested in your standalone HBAC PAM module if you think it would apply in this situation. I would be happy to test it out if helpful.
Thanks again for you help, Warren Birnbaum ___________________ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 2/15/16, 5:16 PM, "Jakub Hrozek" <[email protected]> wrote: >On Mon, Feb 15, 2016 at 03:58:15PM +0000, Birnbaum, Warren (ETW) wrote: >> Jakub, >> >> We want to use password stored in AD and get a yes/no from the AD side. > >OK, I see. Yes, with IPA provider you would authenticate the IPA user >against the IPA KDC. > >> My understanding (which is very limited) is that if we use the IPA >> authentication then it resides in the local kerberos database. Is that >> not correct? If I am completely off, how would I setup type of >> authentication from IPA up? > >Normally with trusts. > >> >> Thanks again, >> >> Warren >> ___________________ >> Warren Birnbaum : Infrastructure Services >> Digital Linux Infrastructure Services >> Europe CDT Techn. Operations >> Nike Inc. : Mobile +31 6 23902697 >> >> >> >> >> >> >> On 2/15/16, 4:08 PM, "Jakub Hrozek" <[email protected]> wrote: >> >> >On Mon, Feb 15, 2016 at 11:24:08AM +0000, Birnbaum, Warren (ETW) wrote: >> >> Hi Jakub, >> >> >> >> Thanks but I have sudo working OK. >> > >> >I'm sorry, my fault.. >> > >> >> What I am trying make work is HBAC. >> >> That I canĀ¹t get to work with the proxy hack. Is there a way to do >> >>that? >> > >> >I haven't tested that use-case, but from the code it looks like it >> >wouldn't work, because the HBAC code tries to match the originalDN of >> >the user as stored on the IPA server. >> > >> >I'm finishing a standalone HBAC PAM module that could help in setups >> >like this, but more importantly -- why do you have the user proxied >>from >> >files? Isn't it better to just rely on sssd's caching and fetch the >>user >> >from IPA? >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
