On Mon, Jun 29, 2020 at 02:02:58PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 29 kesÃ?? 2020, Dominik Vogt via FreeIPA-users wrote:
> In our setup, a service is running on some server machine, say,
> "sample/servername.domain" and a client for that service is
> running on a workstation (using the sample gssapi client and
> server code from the kerberos sources). Now, what is the proper
> way to do this in freeipa?
>
> 1. Allow users foo and bar to log in to the workstation but to no
> other machine of the kerberos real.
> 2. Deny access to sample/servername.domain from any host except
> from the workstation.
> 3. Allow user foo access the service.
> 4. Deny user bar access the service.
> 5. Deny both users access to anything else on the server.
...
A recommended way is to teach your application to use PAM for
authorization and set PAM configuration to use pam_sss.so for session
and access checks. SSSD will handle HBAC rules application
automatically once your app will try to do access check for a user.
Thanks for the info.
We now have a sample client-server that uses gssapi to connect,
and a sample program that does authorization via pam. So, the
complete solution would be:
* Use gssapi from the sample program to connect the client with
the server and authenticate the user.
* Somehow extract the (authenticated) username from the
connection established by gssapi.
* Pass the username to pam_authenticate().
* Set up the pam config file for the service to use pam_sss to
check, say, that the user in a certain group that ist allowed.
Correct?
Is gssapi a sensible choice of programming interface to implement
this, or should one rather use a higher level library like sasl?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt