Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

2016-02-15 Thread Birnbaum, Warren (ETW) 
Jakub,

I am very interested in your standalone HBAC PAM module if you think it
would apply in this situation.  I would be happy to test it out if helpful.

Thanks again for you help,

Warren Birnbaum

___
Warren Birnbaum : Infrastructure Services
Digital Linux Infrastructure Services
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697






On 2/15/16, 5:16 PM, "Jakub Hrozek"  wrote:

>On Mon, Feb 15, 2016 at 03:58:15PM +, Birnbaum, Warren (ETW) wrote:
>> Jakub,
>> 
>> We want to use password stored in AD and get a yes/no from the AD side.
>
>OK, I see. Yes, with IPA provider you would authenticate the IPA user
>against the IPA KDC.
>
>> My understanding (which is very limited) is that if we use the IPA
>> authentication then it resides in the local kerberos database.  Is that
>> not correct?  If I am completely off, how would I setup type of
>> authentication from IPA up?
>
>Normally with trusts.
>
>> 
>> Thanks again,
>> 
>> Warren
>> ___
>> Warren Birnbaum : Infrastructure Services
>> Digital Linux Infrastructure Services
>> Europe CDT Techn. Operations
>> Nike Inc. : Mobile +31 6 23902697
>> 
>> 
>> 
>> 
>> 
>> 
>> On 2/15/16, 4:08 PM, "Jakub Hrozek"  wrote:
>> 
>> >On Mon, Feb 15, 2016 at 11:24:08AM +, Birnbaum, Warren (ETW) wrote:
>> >> Hi Jakub,
>> >> 
>> >> Thanks but I have sudo working OK.
>> >
>> >I'm sorry, my fault..
>> >
>> >> What I am trying make work is HBAC.
>> >> That I can¹t get to work with the proxy hack.  Is there a way to do
>> >>that?
>> >
>> >I haven't tested that use-case, but from the code it looks like it
>> >wouldn't work, because the HBAC code tries to match the originalDN of
>> >the user as stored on the IPA server.
>> >
>> >I'm finishing a standalone HBAC PAM module that could help in setups
>> >like this, but more importantly -- why do you have the user proxied
>>from
>> >files? Isn't it better to just rely on sssd's caching and fetch the
>>user
>> >from IPA?
>> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

2016-02-15 Thread Birnbaum, Warren (ETW) 
Jakub,

We want to use password stored in AD and get a yes/no from the AD side.
My understanding (which is very limited) is that if we use the IPA
authentication then it resides in the local kerberos database.  Is that
not correct?  If I am completely off, how would I setup type of
authentication from IPA up?

Thanks again,

Warren
___
Warren Birnbaum : Infrastructure Services
Digital Linux Infrastructure Services
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697






On 2/15/16, 4:08 PM, "Jakub Hrozek"  wrote:

>On Mon, Feb 15, 2016 at 11:24:08AM +, Birnbaum, Warren (ETW) wrote:
>> Hi Jakub,
>> 
>> Thanks but I have sudo working OK.
>
>I'm sorry, my fault..
>
>> What I am trying make work is HBAC.
>> That I can¹t get to work with the proxy hack.  Is there a way to do
>>that?
>
>I haven't tested that use-case, but from the code it looks like it
>wouldn't work, because the HBAC code tries to match the originalDN of
>the user as stored on the IPA server.
>
>I'm finishing a standalone HBAC PAM module that could help in setups
>like this, but more importantly -- why do you have the user proxied from
>files? Isn't it better to just rely on sssd's caching and fetch the user
>from IPA?


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

2016-02-15 Thread Jakub Hrozek 
On Mon, Feb 15, 2016 at 03:58:15PM +, Birnbaum, Warren (ETW) wrote:
> Jakub,
> 
> We want to use password stored in AD and get a yes/no from the AD side.

OK, I see. Yes, with IPA provider you would authenticate the IPA user
against the IPA KDC.

> My understanding (which is very limited) is that if we use the IPA
> authentication then it resides in the local kerberos database.  Is that
> not correct?  If I am completely off, how would I setup type of
> authentication from IPA up?

Normally with trusts.

> 
> Thanks again,
> 
> Warren
> ___
> Warren Birnbaum : Infrastructure Services
> Digital Linux Infrastructure Services
> Europe CDT Techn. Operations
> Nike Inc. : Mobile +31 6 23902697
> 
> 
> 
> 
> 
> 
> On 2/15/16, 4:08 PM, "Jakub Hrozek"  wrote:
> 
> >On Mon, Feb 15, 2016 at 11:24:08AM +, Birnbaum, Warren (ETW) wrote:
> >> Hi Jakub,
> >> 
> >> Thanks but I have sudo working OK.
> >
> >I'm sorry, my fault..
> >
> >> What I am trying make work is HBAC.
> >> That I can¹t get to work with the proxy hack.  Is there a way to do
> >>that?
> >
> >I haven't tested that use-case, but from the code it looks like it
> >wouldn't work, because the HBAC code tries to match the originalDN of
> >the user as stored on the IPA server.
> >
> >I'm finishing a standalone HBAC PAM module that could help in setups
> >like this, but more importantly -- why do you have the user proxied from
> >files? Isn't it better to just rely on sssd's caching and fetch the user
> >from IPA?
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

2016-02-15 Thread Jakub Hrozek 
On Mon, Feb 15, 2016 at 11:24:08AM +, Birnbaum, Warren (ETW) wrote:
> Hi Jakub,
> 
> Thanks but I have sudo working OK. 

I'm sorry, my fault..

> What I am trying make work is HBAC.
> That I can¹t get to work with the proxy hack.  Is there a way to do that?

I haven't tested that use-case, but from the code it looks like it
wouldn't work, because the HBAC code tries to match the originalDN of
the user as stored on the IPA server.

I'm finishing a standalone HBAC PAM module that could help in setups
like this, but more importantly -- why do you have the user proxied from
files? Isn't it better to just rely on sssd's caching and fetch the user
from IPA?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

2016-02-15 Thread Alexander Bokovoy 

On Mon, 15 Feb 2016, Birnbaum, Warren (ETW) wrote:

Alexander,

Thanks for letting me know this.  Is it true then that my only option is
to have the IPA AD trust to achieve AD authentication (proxy style), HBAC
and sudo?

I'm not sure using 'proxy' term is actually helpful here. IPA does not
work as a proxy authentication when it trusts AD forest. All
authentication happens directly against AD domain controllers, and IPA
is only used to host resources specific to Linux deployments. Given that
HBAC is a feature of IPA, not AD, you cannot have HBAC working in other
configurations.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

2016-02-15 Thread Lukas Slebodnik 
On (15/02/16 11:45), Birnbaum, Warren (ETW) wrote:
>Thanks Lukas.  
>
>Unfortunately setting up a IPA Ad Trust is something not possible within
>our organization.  Is it then fair to say that waiting for Ticket #4623 is
>our only option?  https://fedorahosted.org/freeipa/ticket/4634
>

As I wrote in previous mail HBAC can work only with id_provider = ipa.
and GPO works only with id_provider = ad.

Your configuration is little bit non-standard
id_provider = proxy (to files) and auth provider LDAP (AD).

I can only recommend to look into pam_access.so.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

2016-02-15 Thread Birnbaum, Warren (ETW) 
Alexander,

Thanks for letting me know this.  Is it true then that my only option is
to have the IPA AD trust to achieve AD authentication (proxy style), HBAC
and sudo?

Thanks
___
Warren Birnbaum : Infrastructure Services
Digital Linux Infrastructure Services
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697






On 2/15/16, 12:52 PM, "Alexander Bokovoy"  wrote:

>On Mon, 15 Feb 2016, Birnbaum, Warren (ETW) wrote:
>>Thanks Lukas.
>>
>>Unfortunately setting up a IPA Ad Trust is something not possible within
>>our organization.  Is it then fair to say that waiting for Ticket #4623
>>is
>>our only option?  https://fedorahosted.org/freeipa/ticket/4634
>This ticket is not going to be implemented in a near future. It has
>huge development cost while very little benefits. I don't think it is
>going to be something you can rely on.
>
>-- 
>/ Alexander Bokovoy


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

2016-02-15 Thread Alexander Bokovoy 

On Mon, 15 Feb 2016, Birnbaum, Warren (ETW) wrote:

Thanks Lukas.

Unfortunately setting up a IPA Ad Trust is something not possible within
our organization.  Is it then fair to say that waiting for Ticket #4623 is
our only option?  https://fedorahosted.org/freeipa/ticket/4634

This ticket is not going to be implemented in a near future. It has
huge development cost while very little benefits. I don't think it is
going to be something you can rely on.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

2016-02-15 Thread Birnbaum, Warren (ETW) 
Thanks Lukas.  

Unfortunately setting up a IPA Ad Trust is something not possible within
our organization.  Is it then fair to say that waiting for Ticket #4623 is
our only option?  https://fedorahosted.org/freeipa/ticket/4634


Thanks,

Warren
___
Warren Birnbaum : Infrastructure Services
Digital Linux Infrastructure Services
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697






On 2/15/16, 12:36 PM, "Lukas Slebodnik"  wrote:

>On (15/02/16 09:34), Birnbaum, Warren (ETW) wrote:
>>Hello,
>>
>>I would like to get freeipa to work with a proxy solution ( I currently
>>have this working with an active directory/no trust authentication and
>>sudo but no HBAC) including HBAC.  I can get sudo to work but not HBAC.
>>I see there is a ticket for this as a new enhancement  #4634 but wanted
>>to confirm that there isn't another way to accomplish this.
>>
>>Here is my current configuration for proxy and this works OK:
>>
>>[domain/mikey.com]
>>sudo_provider = ipa
>>ipa_domain = va2.b2c.mikey.com
>>id_provider = ipa
>>auth_provider = ipa
>>access_provider = ipa
>>ipa_hostname = ip-10-12-177-28.va2.b2c.mikey.com
>>chpass_provider = ipa
>>ipa_server = _srv_, ip-10-12-177-24.va2.b2c.mikey.com
>>ldap_tls_cacert = /etc/ipa/ca.crt
>>
>>id_provider = proxy
>>proxy_lib_name = files
>>auth_provider = ldap
>>reconnection_retries = 3
>>ldap_uri = ldap://adldaplb.mikey.com
>>ldap_search_base = dc=ad,dc=mikey,dc=com?subtree?
>>ldap_schema = AD
>>ldap_default_authtok_type = password
>>ldap_network_timeout = 120
>>ldap_opt_timeout = 120
>>ldap_search_timeout = 120
>>ldap_id_use_start_tls = false
>>ldap_user_object_class = user
>>ldap_group_object_class = group
>>ldap_user_name = sAMAccountName
>>enumerate = true
>>ldap_referrals = true
>>ldap_tls_reqcert = allow
>>ldap_tls_cacertdir = /etc/openldap/cacerts
>>ldap_access_filter = *
>>case_sensitive = false
>>lookup_family_order = ipv4_only
>>dns_resolver_timeout = 30
>>cache_credentials = false
>>
>This configuration file is a little bit suspicious to me.
>There is mixed/overriden id_provider ipa and proxy + some parts from AD.
>
>HBAC can work only with IPA users or trusted AD users (IPA AD trust)
>HBAC cannot work with id_provider ldap, proxy or AD.
>You can achieve something similar with GPO and ad provider.
>
>LS


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

2016-02-15 Thread Lukas Slebodnik 
On (15/02/16 09:34), Birnbaum, Warren (ETW) wrote:
>Hello,
>
>I would like to get freeipa to work with a proxy solution ( I currently have 
>this working with an active directory/no trust authentication and sudo but no 
>HBAC) including HBAC.  I can get sudo to work but not HBAC.  I see there is a 
>ticket for this as a new enhancement  #4634 but wanted to confirm that there 
>isn't another way to accomplish this.
>
>Here is my current configuration for proxy and this works OK:
>
>[domain/mikey.com]
>sudo_provider = ipa
>ipa_domain = va2.b2c.mikey.com
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = ip-10-12-177-28.va2.b2c.mikey.com
>chpass_provider = ipa
>ipa_server = _srv_, ip-10-12-177-24.va2.b2c.mikey.com
>ldap_tls_cacert = /etc/ipa/ca.crt
>
>id_provider = proxy
>proxy_lib_name = files
>auth_provider = ldap
>reconnection_retries = 3
>ldap_uri = ldap://adldaplb.mikey.com
>ldap_search_base = dc=ad,dc=mikey,dc=com?subtree?
>ldap_schema = AD
>ldap_default_authtok_type = password
>ldap_network_timeout = 120
>ldap_opt_timeout = 120
>ldap_search_timeout = 120
>ldap_id_use_start_tls = false
>ldap_user_object_class = user
>ldap_group_object_class = group
>ldap_user_name = sAMAccountName
>enumerate = true
>ldap_referrals = true
>ldap_tls_reqcert = allow
>ldap_tls_cacertdir = /etc/openldap/cacerts
>ldap_access_filter = *
>case_sensitive = false
>lookup_family_order = ipv4_only
>dns_resolver_timeout = 30
>cache_credentials = false
>
This configuration file is a little bit suspicious to me.
There is mixed/overriden id_provider ipa and proxy + some parts from AD.

HBAC can work only with IPA users or trusted AD users (IPA AD trust)
HBAC cannot work with id_provider ldap, proxy or AD.
You can achieve something similar with GPO and ad provider.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

2016-02-15 Thread Birnbaum, Warren (ETW) 
Hi Jakub,

Thanks but I have sudo working OK.  What I am trying make work is HBAC.
That I can¹t get to work with the proxy hack.  Is there a way to do that?

Thanks,

Warren


___
Warren Birnbaum : Infrastructure Services
Digital Linux Infrastructure Services
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697






On 2/15/16, 11:31 AM, "freeipa-users-boun...@redhat.com on behalf of Jakub
Hrozek" 
wrote:

>On Mon, Feb 15, 2016 at 09:34:33AM +, Birnbaum, Warren (ETW) wrote:
>> Hello,
>> 
>> I would like to get freeipa to work with a proxy solution ( I currently
>>have this working with an active directory/no trust authentication and
>>sudo but no HBAC) including HBAC.  I can get sudo to work but not HBAC.
>>I see there is a ticket for this as a new enhancement  #4634 but wanted
>>to confirm that there isn't another way to accomplish this.
>> 
>> Here is my current configuration for proxy and this works OK:
>
>I've used the proxy hack to enable sudo for local (=/etc/passwd) users
>with LDAP sudoers and it just worked. Can you try following:
>https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>and see which part does not work?
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

2016-02-15 Thread Jakub Hrozek 
On Mon, Feb 15, 2016 at 09:34:33AM +, Birnbaum, Warren (ETW) wrote:
> Hello,
> 
> I would like to get freeipa to work with a proxy solution ( I currently have 
> this working with an active directory/no trust authentication and sudo but no 
> HBAC) including HBAC.  I can get sudo to work but not HBAC.  I see there is a 
> ticket for this as a new enhancement  #4634 but wanted to confirm that there 
> isn't another way to accomplish this.
> 
> Here is my current configuration for proxy and this works OK:

I've used the proxy hack to enable sudo for local (=/etc/passwd) users
with LDAP sudoers and it just worked. Can you try following:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
and see which part does not work?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project