On la, 11 helmi 2017, Michael Ströder wrote:
Alexander Bokovoy wrote:
On la, 11 helmi 2017, Harald Dunkel wrote:
On 02/11/17 11:57, Alexander Bokovoy wrote:
On la, 11 helmi 2017, Michael Ströder wrote:


(Personally I'd avoid going through PAM.)
Any specific reason for not using pam_sss? Remember, with SSSD involved
you get also authentication for trusted users from Active Directory
realms. You don't get that with generic LDAP way. Also, you'd be more
efficient in terms of utilising LDAP connections.


I would prefer if the users are not allowed to login into a
shell on the Jenkins server. Surely this restriction can be
implemented with pam as well.

Yes, you can use HBAC rules to prevent them from access to the host.

But this introduces a hard dependency on host system administration which I 
personally
always try to avoid.

As said: Your mileage may vary.
So we are talking about FreeIPA and a system enrolled to FreeIPA. This
system is already managed in FreeIPA.

Your mileage may vary, indeed, but I'd rather re-use what is available
to you than implement a parallel infrastructure, including reliability
aspects.

Anyway, I think we are distancing away from the original topic.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to