So, I got to play around with this and implemented the "workaround" we
discussed.
I ended up using ksu with sshd ForceCommand to make it more seamless for users.
Here are some of the issues I faced though:
1. IdP requires FAST and I'm not sure how I'm supposed to configure that
correctly in
> Having said that, I'm not even sure if one can request a specific preauth
> method today
> in SSSD.
And by that I mean as a hint before the actual AS_REQ. IIUC this isn't
straightforward to do currently because:
- The PAM conversation happens after the AS_REP and depends on the supported
> On Суб, 09 сак 2024, Jonathan Calmels via FreeIPA-users wrote:
>
> If you are using RHEL subscription, it might make sense to open a
> customer case and provide more details there, along with a request for
> enhancement and point to this thread so that we can connect the
Thanks for the detailed answer, glad we didn't miss anything obvious.
I just want to add a bit more clarification on what we were proposing
> IPA only responsible for its own users. If authentication relies on an
> external identity (e.g. AD user), then authority holding information
> about that
We have several deployments of RHEL IdM consisting of a cross-forest trust with
on-prem MS Active Directory.
Users are able to login to the IdM resources with their Corporate AD
credentials (i.e. password or existing AD ticket).
Users identities (including Posix attributes) are fetched from AD