Hi,
I was reading https://www.freeipa.org/page/Apache_Group_Based_Authorization but failed to implement that for AD users. The problem is that Kerberos authenticates myuser0815@mywindows.domain.at but there is no corresponding entry in on the AD domain controller. The available user attributes in the LDAP directory look like 'myuser0815' (samaccountname) or 'myuser0815@someupnsuffix.domain.at' (userprincipalname).
GssapiLocalName or KrbLocalUserMapping would only map to locally existing users, right? I tried them both and still saw 'myuser0815@mywindows.domain.at' leading to:
[Tue Sep 26 17:14:40.758545 2017] [authnz_ldap:debug] [pid 11160] mod_authnz_ldap.c(824): [client 10.66.58.176:32402] AH01710: ldap authorize: Creating LDAP req structure [Tue Sep 26 17:14:40.793095 2017] [authnz_ldap:debug] [pid 11160] mod_authnz_ldap.c(838): [client 10.66.58.176:32402] AH01711: auth_ldap authorise: User DN not found, User not found
Any ideas what I could try next?
Regards, Ronald
On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
Hi,
I was reading https://www.freeipa.org/page/Apache_Group_Based_Authorization but failed to implement that for AD users. The problem is that Kerberos authenticates myuser0815@mywindows.domain.at but there is no corresponding entry in on the AD domain controller. The available user attributes in the LDAP directory look like 'myuser0815' (samaccountname) or 'myuser0815@someupnsuffix.domain.at' (userprincipalname).
GssapiLocalName or KrbLocalUserMapping would only map to locally existing users, right? I tried them both and still saw 'myuser0815@mywindows.domain.at' leading to:
[Tue Sep 26 17:14:40.758545 2017] [authnz_ldap:debug] [pid 11160] mod_authnz_ldap.c(824): [client 10.66.58.176:32402] AH01710: ldap authorize: Creating LDAP req structure [Tue Sep 26 17:14:40.793095 2017] [authnz_ldap:debug] [pid 11160] mod_authnz_ldap.c(838): [client 10.66.58.176:32402] AH01711: auth_ldap authorise: User DN not found, User not found
Any ideas what I could try next?
Don't use mod_authnz_ldap, it doesn't have any clue about real complexity like the above.
A proper solution would be to use mod_authnz_pam and allow pam_sss to handle actual HBAC checks. See https://www.adelton.com/apache/mod_authnz_pam/
On 2017-09-28 10:19, Alexander Bokovoy via FreeIPA-users wrote:
Don't use mod_authnz_ldap, it doesn't have any clue about real complexity like the above.
A proper solution would be to use mod_authnz_pam and allow pam_sss to handle actual HBAC checks. See https://www.adelton.com/apache/mod_authnz_pam/
Wouldn't it be sufficient to use
Require pam-account system-auth
because on a an ipa client, there is already pam_sss.so in the system-auth pam service file? Or am I missing the point here?
Regards, Ronald
On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
On 2017-09-28 10:19, Alexander Bokovoy via FreeIPA-users wrote:
Don't use mod_authnz_ldap, it doesn't have any clue about real complexity like the above.
A proper solution would be to use mod_authnz_pam and allow pam_sss to handle actual HBAC checks. See https://www.adelton.com/apache/mod_authnz_pam/
Wouldn't it be sufficient to use
Require pam-account system-auth
because on a an ipa client, there is already pam_sss.so in the system-auth pam service file? Or am I missing the point here?
You need to define HBAC rules that target system-auth PAM service on this host then.
But yes, any practical PAM service would work as long as you have appropriate HBAC rules for this service.
On 2017-09-28 11:37, Alexander Bokovoy wrote:
You need to define HBAC rules that target system-auth PAM service on this host then.
But yes, any practical PAM service would work as long as you have appropriate HBAC rules for this service.
Is an HBAC Service in IPA the counterpart to the PAM file on an ipa client residing in /etc/pam.d/ ?
Ronald Wimmer via FreeIPA-users wrote:
On 2017-09-28 11:37, Alexander Bokovoy wrote:
You need to define HBAC rules that target system-auth PAM service on this host then.
But yes, any practical PAM service would work as long as you have appropriate HBAC rules for this service.
Is an HBAC Service in IPA the counterpart to the PAM file on an ipa client residing in /etc/pam.d/ ?
Yes.
rob
On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
On 2017-09-28 11:37, Alexander Bokovoy wrote:
You need to define HBAC rules that target system-auth PAM service on this host then.
But yes, any practical PAM service would work as long as you have appropriate HBAC rules for this service.
Is an HBAC Service in IPA the counterpart to the PAM file on an ipa client residing in /etc/pam.d/ ?
Yes. You can always get help by running 'ipa help <topic>' command:
------------------------------------------------------------- $ ipa help hbacsvc HBAC Services
The PAM services that HBAC can control access to. The name used here must match the service name that PAM is evaluating.
EXAMPLES:
Add a new HBAC service: ipa hbacsvc-add tftp
Modify an existing HBAC service: ipa hbacsvc-mod --desc="TFTP service" tftp
Search for HBAC services. This example will return two results, the FTP service and the newly-added tftp service: ipa hbacsvc-find ftp
Delete an HBAC service: ipa hbacsvc-del tftp
Topic commands: hbacsvc-add Add a new HBAC service. hbacsvc-del Delete an existing HBAC service. hbacsvc-find Search for HBAC services. hbacsvc-mod Modify an HBAC service. hbacsvc-show Display information about an HBAC service.
To get command help, use: ipa <command> --help -------------------------------------------------------------
There is also a section in the documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Rob Crittenden -
Ronald Wimmer