On Wed, Oct 18, 2017 at 8:31 AM, Simo Sorce <[email protected]> wrote: > On Wed, 2017-10-18 at 05:26 -0400, Asif Iqbal wrote: > > On Wed, Oct 18, 2017 at 4:10 AM, Jakub Hrozek <[email protected]> > > wrote: > > > > > On Tue, Oct 17, 2017 at 05:15:08PM -0400, Asif Iqbal wrote: > > > > I setup sssd to login with 2 factor auth and it works fine and > > > > then I am > > > > failing to sudo with ldap even though id_provider is ldap. > > > > > > > > Here is log from sssd_LDAP when running sudo -s > > > > > > > > http://dpaste.com/36PTMS0.txt > > > > > > > > Here is relevant config > > > > > > > > [domain/LDAP] > > > > chpass_provider = krb5 > > > > access_provider = ldap > > > > id_provider = ldap > > > > ... > > > > auth_provider = proxy > > > > proxy_pam_target = securid > > > > .. > > > > > > > > There is no sudo_* in here > > > > > > > > sudo -s works if I use the auth provider, which is 2FA. So it > > > > seems like > > > > sudo auth follows whatever auth_provider is set to? > > > > > > > > Can I have ssh login with proxy as auth provider and sudo login > > > > with ldap > > > > as auth provider? > > > > > > > > I know both ssh and sudo login works with ldap and krb5, but I > > > > need to > > > > > > have > > > > the ssh login with 2FA in my env. > > > > > > > > Thanks for your help > > > > > > The only way I can think of solving this is to configure two > > > [domains] > > > in sssd.conf and using fully qualified names, e.g. user@otpdomain > > > and > > > user@ldapdomain.. > > > > > > > I know I can just skip sssd and use pam.d/sshd auth pointing to > > pam_securid.so > > and pam.d/sudo to pam_ldap. Much simpler approach. So user can still > > do > > normal unix login with securid (2FA ) credentials and then sudo with > > LDAP > > credentials. > > > > Hopefully someday sssd will be capable to offer that. > > Can you open a RFE ticket for this ? >
Sure. Is there a link for that? Sorry I have not done that before. Thanks > > Simo. > > -- > Simo Sorce > Sr. Principal Software Engineer > Red Hat, Inc > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
