Alexander Bokovoy wrote: > On la, 11 helmi 2017, Michael Ströder wrote: >> Alexander Bokovoy wrote: >>> On la, 11 helmi 2017, Harald Dunkel wrote: >>>> On 02/11/17 11:57, Alexander Bokovoy wrote: >>>>> On la, 11 helmi 2017, Michael Ströder wrote: >>>>>> >>>>>> (Personally I'd avoid going through PAM.) >>>>> Any specific reason for not using pam_sss? Remember, with SSSD involved >>>>> you get also authentication for trusted users from Active Directory >>>>> realms. You don't get that with generic LDAP way. Also, you'd be more >>>>> efficient in terms of utilising LDAP connections. >>>>> >>>> >>>> I would prefer if the users are not allowed to login into a >>>> shell on the Jenkins server. Surely this restriction can be >>>> implemented with pam as well. >>> >>> Yes, you can use HBAC rules to prevent them from access to the host. >> >> But this introduces a hard dependency on host system administration which I >> personally >> always try to avoid. >> >> As said: Your mileage may vary. > > So we are talking about FreeIPA and a system enrolled to FreeIPA. This > system is already managed in FreeIPA.
Please don't get me wrong. Of course I assume that the original poster wants to integrate Jenkins with FreeIPA and make use of users and their group membership already maintained therein. Let's further assume that the service (here Jenkins) might be operated by another team than the system - not so unusual case at my customers' sites - relying on defining HBAC rules for the system's sssd might not be feasible. > Your mileage may vary, indeed, but I'd rather re-use what is available > to you than implement a parallel infrastructure, including reliability > aspects. Of course we both agree on the benefits of using what's already available. > Anyway, I think we are distancing away from the original topic. Especially since we both can only make rough assumptions about requirements and operational constraints of the original poster. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
