subject:"\[Freeipa\-users\] Re\: How to use HBAC rules on services where is used Ipsion"

[Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion

2018-07-11 Thread Alexander Bokovoy via FreeIPA-users


On ke, 11 heinä 2018, SOLER SANGUESA Miguel via FreeIPA-users wrote:

I have added the service on IPA and changed on the HBAC rule form "any
service" to "ipsilon", but now I can not login on ipsilon. Also I've
checked that there is no '/etc/pam.d/ipsilon' file.


On my Ipsilon server (based on Fedora 27) I have:

# rpm -qf /etc/pam.d/ipsilon
ipsilon-base-2.0.2-6.fc27.noarch

# cat /etc/pam.d/ipsilon
#%PAM-1.0
auth   substack password-auth
auth   include  postlogin
accountrequired pam_nologin.so
accountinclude  password-auth
password   include  password-auth
# pam_selinux.so close should be the first session rule
sessionrequired pam_selinux.so close
sessionrequired pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the 
user context
sessionrequired pam_selinux.so open
sessionrequired pam_namespace.so
sessionoptional pam_keyinit.so force revoke
sessioninclude  password-auth
sessioninclude  postlogin




Thanks & Regards.

-Original Message-
From: Alexander Bokovoy 
Sent: Tuesday, July 10, 2018 15:31
To: FreeIPA users list 
Cc: SOLER SANGUESA Miguel ; Rob Crittenden 

Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services where is 
used Ipsion

On ti, 10 heinä 2018, Rob Crittenden via FreeIPA-users wrote:

SOLER SANGUESA Miguel via FreeIPA-users wrote:

Hello,

RHEL 7.5 with IPA server 4.5.4

RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL
repositories (v1.0.0) and added manually patch:
https://pagure.io/ipsilon/pull-request/44#request_diff

I have configured Jira with the plugin for SAML2 (SAML Single Sign On
(SSO) Jira, SAML/SSO
) and it works fine, when I try to login on Jira I’m
redirected to Ipsilon server and when I put user/pass (using IPA user)
I log in.

My problem is that I don’t know how to configure which users can log
in on the service. Right now all users able to login on the Ipsilon
server via “any service” can login.

On Jira side I can create the users manually and configure that just
existing users can log in, but I would prefer not to manage users on
the service provider side.

Also I want to add more services to Ipsilon, so not all users allowed
to log in on Ipsilon should log in on all services.

If I can create a pam service for any of the services managed by
ipsilon, it would be perfect, as I could create HBAC rules for any
service and authorization would be manage just on IPA.

Can anyone explain or give some documentation about this?


I forget what pam service is used by Ipsilon by default. I'd suggest
you ask on the ipsilon mailing list or in #ipsilon on freenode.

It is 'ipsilon'.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/C43VGBU2HELLOTQR2FMYB4UIG4JKZP4L/


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/2G33WBBO7VX34PGFNFFEOJ6JBA65YH5S/

[Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion

2018-07-11 Thread SOLER SANGUESA Miguel via FreeIPA-users

I have added the service on IPA and changed on the HBAC rule form "any service" 
to "ipsilon", but now I can not login on ipsilon. Also I've checked that there 
is no '/etc/pam.d/ipsilon' file.

Thanks & Regards.

-Original Message-
From: Alexander Bokovoy  
Sent: Tuesday, July 10, 2018 15:31
To: FreeIPA users list 
Cc: SOLER SANGUESA Miguel ; Rob Crittenden 

Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services where is 
used Ipsion

On ti, 10 heinä 2018, Rob Crittenden via FreeIPA-users wrote:
>SOLER SANGUESA Miguel via FreeIPA-users wrote:
>>Hello,
>>
>>RHEL 7.5 with IPA server 4.5.4
>>
>>RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL 
>>repositories (v1.0.0) and added manually patch:
>>https://pagure.io/ipsilon/pull-request/44#request_diff
>>
>>I have configured Jira with the plugin for SAML2 (SAML Single Sign On 
>>(SSO) Jira, SAML/SSO 
>>>o-jira-saml-sso>) and it works fine, when I try to login on Jira I’m 
>>redirected to Ipsilon server and when I put user/pass (using IPA user) 
>>I log in.
>>
>>My problem is that I don’t know how to configure which users can log 
>>in on the service. Right now all users able to login on the Ipsilon 
>>server via “any service” can login.
>>
>>On Jira side I can create the users manually and configure that just 
>>existing users can log in, but I would prefer not to manage users on 
>>the service provider side.
>>
>>Also I want to add more services to Ipsilon, so not all users allowed 
>>to log in on Ipsilon should log in on all services.
>>
>>If I can create a pam service for any of the services managed by 
>>ipsilon, it would be perfect, as I could create HBAC rules for any 
>>service and authorization would be manage just on IPA.
>>
>>Can anyone explain or give some documentation about this?
>
>I forget what pam service is used by Ipsilon by default. I'd suggest 
>you ask on the ipsilon mailing list or in #ipsilon on freenode.
It is 'ipsilon'.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/C43VGBU2HELLOTQR2FMYB4UIG4JKZP4L/

[Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion

2018-07-10 Thread SOLER SANGUESA Miguel via FreeIPA-users

I have added the service on IPA and changed on the HBAC rule form "any service" 
to "ipsilon", but now I can not login on ipsilon.
Also I've checked that there is no '/etc/pam.d/ipsilon' file

Thanks & Regards.
__
Miguel Soler Sangüesa
Consultant - Linux Systems Administrator
OPPV - Linux Server Support

[cid:image001.png@01D41870.F204ED80]+ 34 96 199 39 24 - EXT 3924
[cid:image002.png@01D41870.F204ED80]   + 41 22 929 19 13

[cid:image003.jpg@01D41870.F204ED80]

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/NGJFNAXFI3BMSEZIKGST4XS5QT6I3KXE/

[Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion

2018-07-10 Thread Alexander Bokovoy via FreeIPA-users

On ti, 10 heinä 2018, Rob Crittenden via FreeIPA-users wrote:

SOLER SANGUESA Miguel via FreeIPA-users wrote:

Hello,

RHEL 7.5 with IPA server 4.5.4

RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL
repositories (v1.0.0) and added manually patch:
https://pagure.io/ipsilon/pull-request/44#request_diff

I have configured Jira with the plugin for SAML2 (SAML Single Sign
On (SSO) Jira, SAML/SSO )
and it works fine, when I try to login on Jira I’m redirected to
Ipsilon server and when I put user/pass (using IPA user) I log in.

My problem is that I don’t know how to configure which users can log
in on the service. Right now all users able to login on the Ipsilon
server via “any service” can login.

On Jira side I can create the users manually and configure that just
existing users can log in, but I would prefer not to manage users on
the service provider side.

Also I want to add more services to Ipsilon, so not all users
allowed to log in on Ipsilon should log in on all services.

If I can create a pam service for any of the services managed by
ipsilon, it would be perfect, as I could create HBAC rules for any
service and authorization would be manage just on IPA.

Can anyone explain or give some documentation about this?

I forget what pam service is used by Ipsilon by default. I'd suggest
you ask on the ipsilon mailing list or in #ipsilon on freenode.

It is 'ipsilon'.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/AFQKXCC3XYCHDF5I65AQFBISHDPV4FX2/

[Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion

2018-07-10 Thread Rob Crittenden via FreeIPA-users


SOLER SANGUESA Miguel via FreeIPA-users wrote:

Hello,

RHEL 7.5 with IPA server 4.5.4

RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL 
repositories (v1.0.0) and added manually patch: 
https://pagure.io/ipsilon/pull-request/44#request_diff


I have configured Jira with the plugin for SAML2 (SAML Single Sign On 
(SSO) Jira, SAML/SSO 
) 
and it works fine, when I try to login on Jira I’m redirected to Ipsilon 
server and when I put user/pass (using IPA user) I log in.


My problem is that I don’t know how to configure which users can log in 
on the service. Right now all users able to login on the Ipsilon server 
via “any service” can login.


On Jira side I can create the users manually and configure that just 
existing users can log in, but I would prefer not to manage users on the 
service provider side.


Also I want to add more services to Ipsilon, so not all users allowed to 
log in on Ipsilon should log in on all services.


If I can create a pam service for any of the services managed by 
ipsilon, it would be perfect, as I could create HBAC rules for any 
service and authorization would be manage just on IPA.


Can anyone explain or give some documentation about this?


I forget what pam service is used by Ipsilon by default. I'd suggest you 
ask on the ipsilon mailing list or in #ipsilon on freenode.


rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FNECU62RB5RZOFOZKMDI6SCJGZMYYI36/

[Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion

[Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion

[Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion

[Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion

[Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion

5 matches

Site Navigation

Mail list logo

Footer information