Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Jakub, I am very interested in your standalone HBAC PAM module if you think it would apply in this situation. I would be happy to test it out if helpful. Thanks again for you help, Warren Birnbaum ___ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 2/15/16, 5:16 PM, "Jakub Hrozek"wrote: >On Mon, Feb 15, 2016 at 03:58:15PM +, Birnbaum, Warren (ETW) wrote: >> Jakub, >> >> We want to use password stored in AD and get a yes/no from the AD side. > >OK, I see. Yes, with IPA provider you would authenticate the IPA user >against the IPA KDC. > >> My understanding (which is very limited) is that if we use the IPA >> authentication then it resides in the local kerberos database. Is that >> not correct? If I am completely off, how would I setup type of >> authentication from IPA up? > >Normally with trusts. > >> >> Thanks again, >> >> Warren >> ___ >> Warren Birnbaum : Infrastructure Services >> Digital Linux Infrastructure Services >> Europe CDT Techn. Operations >> Nike Inc. : Mobile +31 6 23902697 >> >> >> >> >> >> >> On 2/15/16, 4:08 PM, "Jakub Hrozek" wrote: >> >> >On Mon, Feb 15, 2016 at 11:24:08AM +, Birnbaum, Warren (ETW) wrote: >> >> Hi Jakub, >> >> >> >> Thanks but I have sudo working OK. >> > >> >I'm sorry, my fault.. >> > >> >> What I am trying make work is HBAC. >> >> That I can¹t get to work with the proxy hack. Is there a way to do >> >>that? >> > >> >I haven't tested that use-case, but from the code it looks like it >> >wouldn't work, because the HBAC code tries to match the originalDN of >> >the user as stored on the IPA server. >> > >> >I'm finishing a standalone HBAC PAM module that could help in setups >> >like this, but more importantly -- why do you have the user proxied >>from >> >files? Isn't it better to just rely on sssd's caching and fetch the >>user >> >from IPA? >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Jakub, We want to use password stored in AD and get a yes/no from the AD side. My understanding (which is very limited) is that if we use the IPA authentication then it resides in the local kerberos database. Is that not correct? If I am completely off, how would I setup type of authentication from IPA up? Thanks again, Warren ___ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 2/15/16, 4:08 PM, "Jakub Hrozek"wrote: >On Mon, Feb 15, 2016 at 11:24:08AM +, Birnbaum, Warren (ETW) wrote: >> Hi Jakub, >> >> Thanks but I have sudo working OK. > >I'm sorry, my fault.. > >> What I am trying make work is HBAC. >> That I can¹t get to work with the proxy hack. Is there a way to do >>that? > >I haven't tested that use-case, but from the code it looks like it >wouldn't work, because the HBAC code tries to match the originalDN of >the user as stored on the IPA server. > >I'm finishing a standalone HBAC PAM module that could help in setups >like this, but more importantly -- why do you have the user proxied from >files? Isn't it better to just rely on sssd's caching and fetch the user >from IPA? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
On Mon, Feb 15, 2016 at 03:58:15PM +, Birnbaum, Warren (ETW) wrote: > Jakub, > > We want to use password stored in AD and get a yes/no from the AD side. OK, I see. Yes, with IPA provider you would authenticate the IPA user against the IPA KDC. > My understanding (which is very limited) is that if we use the IPA > authentication then it resides in the local kerberos database. Is that > not correct? If I am completely off, how would I setup type of > authentication from IPA up? Normally with trusts. > > Thanks again, > > Warren > ___ > Warren Birnbaum : Infrastructure Services > Digital Linux Infrastructure Services > Europe CDT Techn. Operations > Nike Inc. : Mobile +31 6 23902697 > > > > > > > On 2/15/16, 4:08 PM, "Jakub Hrozek"wrote: > > >On Mon, Feb 15, 2016 at 11:24:08AM +, Birnbaum, Warren (ETW) wrote: > >> Hi Jakub, > >> > >> Thanks but I have sudo working OK. > > > >I'm sorry, my fault.. > > > >> What I am trying make work is HBAC. > >> That I can¹t get to work with the proxy hack. Is there a way to do > >>that? > > > >I haven't tested that use-case, but from the code it looks like it > >wouldn't work, because the HBAC code tries to match the originalDN of > >the user as stored on the IPA server. > > > >I'm finishing a standalone HBAC PAM module that could help in setups > >like this, but more importantly -- why do you have the user proxied from > >files? Isn't it better to just rely on sssd's caching and fetch the user > >from IPA? > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
On Mon, Feb 15, 2016 at 11:24:08AM +, Birnbaum, Warren (ETW) wrote: > Hi Jakub, > > Thanks but I have sudo working OK. I'm sorry, my fault.. > What I am trying make work is HBAC. > That I can¹t get to work with the proxy hack. Is there a way to do that? I haven't tested that use-case, but from the code it looks like it wouldn't work, because the HBAC code tries to match the originalDN of the user as stored on the IPA server. I'm finishing a standalone HBAC PAM module that could help in setups like this, but more importantly -- why do you have the user proxied from files? Isn't it better to just rely on sssd's caching and fetch the user from IPA? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
On Mon, 15 Feb 2016, Birnbaum, Warren (ETW) wrote: Alexander, Thanks for letting me know this. Is it true then that my only option is to have the IPA AD trust to achieve AD authentication (proxy style), HBAC and sudo? I'm not sure using 'proxy' term is actually helpful here. IPA does not work as a proxy authentication when it trusts AD forest. All authentication happens directly against AD domain controllers, and IPA is only used to host resources specific to Linux deployments. Given that HBAC is a feature of IPA, not AD, you cannot have HBAC working in other configurations. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
On (15/02/16 11:45), Birnbaum, Warren (ETW) wrote: >Thanks Lukas. > >Unfortunately setting up a IPA Ad Trust is something not possible within >our organization. Is it then fair to say that waiting for Ticket #4623 is >our only option? https://fedorahosted.org/freeipa/ticket/4634 > As I wrote in previous mail HBAC can work only with id_provider = ipa. and GPO works only with id_provider = ad. Your configuration is little bit non-standard id_provider = proxy (to files) and auth provider LDAP (AD). I can only recommend to look into pam_access.so. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Alexander, Thanks for letting me know this. Is it true then that my only option is to have the IPA AD trust to achieve AD authentication (proxy style), HBAC and sudo? Thanks ___ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 2/15/16, 12:52 PM, "Alexander Bokovoy"wrote: >On Mon, 15 Feb 2016, Birnbaum, Warren (ETW) wrote: >>Thanks Lukas. >> >>Unfortunately setting up a IPA Ad Trust is something not possible within >>our organization. Is it then fair to say that waiting for Ticket #4623 >>is >>our only option? https://fedorahosted.org/freeipa/ticket/4634 >This ticket is not going to be implemented in a near future. It has >huge development cost while very little benefits. I don't think it is >going to be something you can rely on. > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
On Mon, 15 Feb 2016, Birnbaum, Warren (ETW) wrote: Thanks Lukas. Unfortunately setting up a IPA Ad Trust is something not possible within our organization. Is it then fair to say that waiting for Ticket #4623 is our only option? https://fedorahosted.org/freeipa/ticket/4634 This ticket is not going to be implemented in a near future. It has huge development cost while very little benefits. I don't think it is going to be something you can rely on. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Thanks Lukas. Unfortunately setting up a IPA Ad Trust is something not possible within our organization. Is it then fair to say that waiting for Ticket #4623 is our only option? https://fedorahosted.org/freeipa/ticket/4634 Thanks, Warren ___ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 2/15/16, 12:36 PM, "Lukas Slebodnik"wrote: >On (15/02/16 09:34), Birnbaum, Warren (ETW) wrote: >>Hello, >> >>I would like to get freeipa to work with a proxy solution ( I currently >>have this working with an active directory/no trust authentication and >>sudo but no HBAC) including HBAC. I can get sudo to work but not HBAC. >>I see there is a ticket for this as a new enhancement #4634 but wanted >>to confirm that there isn't another way to accomplish this. >> >>Here is my current configuration for proxy and this works OK: >> >>[domain/mikey.com] >>sudo_provider = ipa >>ipa_domain = va2.b2c.mikey.com >>id_provider = ipa >>auth_provider = ipa >>access_provider = ipa >>ipa_hostname = ip-10-12-177-28.va2.b2c.mikey.com >>chpass_provider = ipa >>ipa_server = _srv_, ip-10-12-177-24.va2.b2c.mikey.com >>ldap_tls_cacert = /etc/ipa/ca.crt >> >>id_provider = proxy >>proxy_lib_name = files >>auth_provider = ldap >>reconnection_retries = 3 >>ldap_uri = ldap://adldaplb.mikey.com >>ldap_search_base = dc=ad,dc=mikey,dc=com?subtree? >>ldap_schema = AD >>ldap_default_authtok_type = password >>ldap_network_timeout = 120 >>ldap_opt_timeout = 120 >>ldap_search_timeout = 120 >>ldap_id_use_start_tls = false >>ldap_user_object_class = user >>ldap_group_object_class = group >>ldap_user_name = sAMAccountName >>enumerate = true >>ldap_referrals = true >>ldap_tls_reqcert = allow >>ldap_tls_cacertdir = /etc/openldap/cacerts >>ldap_access_filter = * >>case_sensitive = false >>lookup_family_order = ipv4_only >>dns_resolver_timeout = 30 >>cache_credentials = false >> >This configuration file is a little bit suspicious to me. >There is mixed/overriden id_provider ipa and proxy + some parts from AD. > >HBAC can work only with IPA users or trusted AD users (IPA AD trust) >HBAC cannot work with id_provider ldap, proxy or AD. >You can achieve something similar with GPO and ad provider. > >LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
On (15/02/16 09:34), Birnbaum, Warren (ETW) wrote: >Hello, > >I would like to get freeipa to work with a proxy solution ( I currently have >this working with an active directory/no trust authentication and sudo but no >HBAC) including HBAC. I can get sudo to work but not HBAC. I see there is a >ticket for this as a new enhancement #4634 but wanted to confirm that there >isn't another way to accomplish this. > >Here is my current configuration for proxy and this works OK: > >[domain/mikey.com] >sudo_provider = ipa >ipa_domain = va2.b2c.mikey.com >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ipa_hostname = ip-10-12-177-28.va2.b2c.mikey.com >chpass_provider = ipa >ipa_server = _srv_, ip-10-12-177-24.va2.b2c.mikey.com >ldap_tls_cacert = /etc/ipa/ca.crt > >id_provider = proxy >proxy_lib_name = files >auth_provider = ldap >reconnection_retries = 3 >ldap_uri = ldap://adldaplb.mikey.com >ldap_search_base = dc=ad,dc=mikey,dc=com?subtree? >ldap_schema = AD >ldap_default_authtok_type = password >ldap_network_timeout = 120 >ldap_opt_timeout = 120 >ldap_search_timeout = 120 >ldap_id_use_start_tls = false >ldap_user_object_class = user >ldap_group_object_class = group >ldap_user_name = sAMAccountName >enumerate = true >ldap_referrals = true >ldap_tls_reqcert = allow >ldap_tls_cacertdir = /etc/openldap/cacerts >ldap_access_filter = * >case_sensitive = false >lookup_family_order = ipv4_only >dns_resolver_timeout = 30 >cache_credentials = false > This configuration file is a little bit suspicious to me. There is mixed/overriden id_provider ipa and proxy + some parts from AD. HBAC can work only with IPA users or trusted AD users (IPA AD trust) HBAC cannot work with id_provider ldap, proxy or AD. You can achieve something similar with GPO and ad provider. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Hi Jakub, Thanks but I have sudo working OK. What I am trying make work is HBAC. That I can¹t get to work with the proxy hack. Is there a way to do that? Thanks, Warren ___ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 2/15/16, 11:31 AM, "freeipa-users-boun...@redhat.com on behalf of Jakub Hrozek"wrote: >On Mon, Feb 15, 2016 at 09:34:33AM +, Birnbaum, Warren (ETW) wrote: >> Hello, >> >> I would like to get freeipa to work with a proxy solution ( I currently >>have this working with an active directory/no trust authentication and >>sudo but no HBAC) including HBAC. I can get sudo to work but not HBAC. >>I see there is a ticket for this as a new enhancement #4634 but wanted >>to confirm that there isn't another way to accomplish this. >> >> Here is my current configuration for proxy and this works OK: > >I've used the proxy hack to enable sudo for local (=/etc/passwd) users >with LDAP sudoers and it just worked. Can you try following: >https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO >and see which part does not work? > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
On Mon, Feb 15, 2016 at 09:34:33AM +, Birnbaum, Warren (ETW) wrote: > Hello, > > I would like to get freeipa to work with a proxy solution ( I currently have > this working with an active directory/no trust authentication and sudo but no > HBAC) including HBAC. I can get sudo to work but not HBAC. I see there is a > ticket for this as a new enhancement #4634 but wanted to confirm that there > isn't another way to accomplish this. > > Here is my current configuration for proxy and this works OK: I've used the proxy hack to enable sudo for local (=/etc/passwd) users with LDAP sudoers and it just worked. Can you try following: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO and see which part does not work? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project