On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
On 2017-09-28 10:19, Alexander Bokovoy via FreeIPA-users wrote:
>Don't use mod_authnz_ldap, it doesn't have any clue about real
>complexity like the above.
>
>A proper solution would be to use mod_authnz_pam and allow pam_sss to
>handle actual HBAC checks. See
>https://www.adelton.com/apache/mod_authnz_pam/
Wouldn't it be sufficient to use
Require pam-account system-auth
because on a an ipa client, there is already pam_sss.so in the
system-auth pam service file? Or am I missing the point here?
You need to define
HBAC rules that target system-auth PAM service on
this host then.
But yes, any practical PAM service would work as long as you have
appropriate HBAC rules for this service.
--
/ Alexander Bokovoy