On Чцв, 23 ліс 2023, Francis Augusto Medeiros-Logeay wrote:
No. This cannot be done -- a client cannot tell the LDAP (or KDC) server
that it is a 'trusted one'. When authentication comes, it is all about
user login, not where that login is coming from.
Thanks Alexander.
I don’t think this will change your answer, but the feature I asked
about was not about “ the client telling that it is a trusted one” ,
but being able to set password policies based on which IP the request
comes from.
That's exactly what you asked for: a client-driven choice of a policy.
IP address of the connected client is not under control of the server
and may be spoofed. This is also a reason why we removed more than a
decade ago ability to differentiate HBAC rules by the connecting
client's address.
When mail server authenticates towards FreeIPA, it gets pretty chaotic
if the user changes the password and have the phone, iPad, work and
home computers trying to authenticate with the older password.
An ideal way is to move away from a direct password-based
authentication. For example, by relying on a OAuth2 bearer token or
GSSAPI. In those cases a valid token would continue to work until it
expires which decouples your 'password expired and needs to be changed'
and 'email client needs to continue its access' situations. In the
latter case if token becomes invalid, the client on the phone, iPad,
etc. would automatically spawn a browser view to re-authenticate.
FreeIPA doesn't have OAuth2 IdP integrated right now but there are
plenty of instructions to integrate with several open source projects
around.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
