On Wed, Oct 18, 2017 at 4:10 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:

On Tue, Oct 17, 2017 at 05:15:08PM -0400, Asif Iqbal wrote:
> I setup sssd to login with 2 factor auth and it works fine and then I am
> failing to sudo with ldap even though id_provider is ldap.
>
> Here is log from sssd_LDAP when running sudo -s
>
> http://dpaste.com/36PTMS0.txt
>
> Here is relevant config
>
> [domain/LDAP]
> chpass_provider = krb5
> access_provider = ldap
> id_provider = ldap
> ...
> auth_provider = proxy
> proxy_pam_target = securid
> ..
>
> There is no sudo_* in here
>
> sudo -s works if I use the auth provider, which is 2FA. So it seems like
> sudo auth follows whatever auth_provider is set to?
>
> Can I have ssh login with proxy as auth provider and sudo login with ldap
> as auth provider?
>
> I know both ssh and sudo login works with ldap and krb5, but I need to have
> the ssh login with 2FA in my env.
>
> Thanks for your help

The only way I can think of solving this is to configure two [domains]
in sssd.conf and using fully qualified names, e.g. user@otpdomain and
user@ldapdomain..

I know I can just skip sssd and use pam.d/sshd auth pointing to pam_securid.so

and pam.d/sudo to pam_ldap. Much simpler approach. So user can still do

normal unix login with securid (2FA ) credentials and then sudo with LDAP credentials.

Hopefully someday sssd will be capable to offer that.

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?