Hello Alexander,
Thanks for help.
I found that I have to name pam.d service with same name as HBAC service
in IPA and it works.
My mistake when reading documentation.
With kind regards,
Jan Gardian
On 08/28/2018 05:44 PM, Alexander Bokovoy wrote:
On ti, 28 elo 2018, Jan Gardian via FreeIPA-users wrote:
Hello,
Could you please be so kind provide me advice how to setup HBAC rule
to allow user authentication/authorization to web service but not to
server where this web run.
Our ipa runs at Centos 7.5.1804, version of IPA 4.5.4, API_VERSION:
2.228.
Web service runs at Ubuntu 16.06.5 LTS on Apache2.
In Apache configuration is setup kerberos authentication and
authorization is directed to pam_sss.so SSSD module which we use for
server login.
<Location />
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbAuthoritative On
KrbMethodK5Passwd Off
KrbServiceName HTTP/web_server.domain.com
KrbAuthRealms DOMAIN.COM
Krb5KeyTab /etc/apache2/http-web_server.keytab
KrbVerifyKDC Off
KrbSaveCredentials On
KrbLocalUserMapping On
Require pam-account crm-production
</Location>
/etc/pam.d/crm-production:
auth required pam_sss.so # pam_sss.so for SSSD
account required pam_sss.so # or other PAM module
-----------------------------------------------------------------------
HBAC rule with bellow setting works but it allow any service.
Specified User and Groups
* testuser
Specified Hosts and Groups
* web_server.domain.com
Any Service
How can I tell in HBAC rule to allow only HTTP/web_server.domain.com?
Did you disable allow_all HBAC rule? That rule allows access to any
service on any machine by default. You'd need to create specific rules
for specific users/groups/hosts/services when allow_all rule is
disabled.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org