:
+:@admin-users@@sandbox-hosts:
This rule will then allow "admin-users" to log on any host whose
nisdomainname is "sandbox"
I have to think to it before deploying, not sure yet this the right thing
to do, but at this stage I can
tell that it works on a redhat 6.6 at least :)
it does) it might work adding something
like this : "account required pam_access.so"
in pam.d/system-auth
But doing that, I'll also need to remove "ldap_access_order = host" in
sssd.conf and outsource HBAC to pam_access.
I'll test and let you know.
Best,
that
(for me at least).
May be another way be to use a nis netgroup with pam_access and to add a
HBAC
mecanism that knows about jokers ?
--
Olivier
2015-05-05 16:56 GMT+02:00 Lukas Slebodnik :
> On (05/05/15 16:44), Olivier wrote:
> >Hi everyone,
> >
> >I have b
ommend to tune user
autorisations in ldap so that they can only log to all machines that
contain a specific label in there hostname (or why not all hosts that are
hosted in a specific network).
Thanks,
--
Olivier
___
sssd-users mailing list
sssd-user
it sounds to me that sshd bypass the user password
verification when authenticate over ssh key,
I'm curious to see if those options will be relevant in my case. I'll let
you know.
Best
---
Olivier
2015-04-15 14:07 GMT+02:00 Michael Ströder :
> Olivier wrote:
>
>&
Many thanks Lukas : very interesting.
I look at this.
---
Olivier
2015-04-15 13:40 GMT+02:00 Lukas Slebodnik :
> On (15/04/15 12:37), Olivier wrote:
> >Hi,
> >
> >Addendum:
> >
> >> My current policy is the following :
> >>
> >> - All
ion process.
That means that if a bad sshkey is returned by
"sss_ssh_authorizedkeys", then ppolicy will be checked and
updated if necessary through the "login / password" process.
May be that could help : with a given flag "sss_ssh_authorizedkeys"
could simply refuse
h 'UsePAM yes').
I would appreciate any guidance, advices or experiences from you
on that particular issue.
Thank you,
--
Olivier
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Pieter,
You may have a look there:
https://bugster.forgerock.org/jira/browse/OPENDJ-521
---
Olivier
2013/10/31 Pieter Baele
> Hello everyone,
>
> I made a configuration where I use Active Directory Kerberos as
> authentication source,
> but OpenDJ LDAP (Forgerock)
known=ignore] pam_ldap.so
passwordsufficientpam_ldap.so use_authtok
session optional pam_ldap.so
Nothing critical in all that (to me at least), since I found workarounds,
however may be this should be fixed with next authconfig versions ?
Yep, I get the lib now using yum, I might had mistyped. If I understand you
well in the future libsss_sudo will be packaged in sssd ?
2013/10/17 Jakub Hrozek
> On Thu, Oct 17, 2013 at 06:10:07PM +0200, Olivier wrote:
> > Ok, thanks.
> >
> > it's not yet in my &quo
Ok, thanks.
it's not yet in my "official" redhat6 repository then.
(curently : sssd-1.9.2-82.7.el6_4.x86_64)
---
Olivier
2013/10/17 Jakub Hrozek
> On Thu, Oct 17, 2013 at 05:03:32PM +0200, Lukas Slebodnik wrote:
> > On (17/10/13 16:21), Olivier wrote:
> >
Hello,
FYI : https://bugzilla.redhat.com/show_bug.cgi?id=1020366
Best
---
Olivier
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
So it sounds like I might manage to remove ldap servers declaration
for authconfig (once I'll manage to use sssd for sudo).
Best
---
Olivier
2013/10/11 Stephen Gallagher
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 10/11/2013 08:41 AM, Olivier wrote:
> > H
onfig with explicit ldap servers
(and I don't want them to be declared in ldap_uri).
---
Olivier
2013/10/11 Michael Ströder
> On Fri, 11 Oct 2013 14:07:31 +0200 Olivier wrote
> > I have reported it as an authconfig bug, I think it might also be
> something
> > to be con
Ah ! I see.
Thanks
2013/10/11 Stephen Gallagher
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 10/11/2013 08:07 AM, Olivier wrote:
> > Hello Stephen,
> >
> > this is done : https://bugzilla.redhat.com/show_bug.cgi?id=1018189
> >
> > I have
t;ldap_uri" if borth parameters are
declared
in sssd.conf ?
---
Olivier
2013/10/10 Stephen Gallagher
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 10/10/2013 10:39 AM, Olivier wrote:
> > Here it comes again...
> >
> > I have an issue with this deplo
he "dns_discovery_domain" (and use ldap servers as declared
in "ldap_uri").
Do you confirm ?
Question : is there any way to avoid authconfig configuring "ldap_uri"
in sssd.conf if "dns_discovery_domain" is already tuned ?
Other comment ?
Thanks,
---
Jakub and all,
> I think in general the setup looks good, you might just find the
> ldap_backup_uri parameter interesting for cases the DNS SRV
> records were not usable for one reason or another.
thanks for your precious time and help.
Olivier
2013/9/26 Jakub Hrozek
> On Thu,
>But still my concerns regarding the TLS hostname check is unanswered.
DNSSEC ?
Best
2013/9/26 Michael Ströder
> Jakub Hrozek wrote:
> > On Wed, Sep 25, 2013 at 08:22:57PM +0200, Michael Ströder wrote:
> >> Hmm, I really wonder why SRV RRs are recommended over having a single
> service
> >> CN
location2.example.fr>
.
_ldap._tcp.example.fr. 172800 IN SRV 30 0 389
ldap2.example.fr<http://ldap2.location3.example.fr>
.
2013/9/26 Olivier
> Hello Jakub and all,
>
> may be the following could help : to be honnest, from an operational point
> of view
> I li
nd different weights for ldap prefered servers depending
on where it is physically located : I use a zone per location to do
that and play with the sssd "dns_discovery_domain" parameter.
I also tested the fallback : when I shut down the first ldap server,
sssd seems to ask for the next one af
e.com.
will sssd fallback properly to ldap2 if ldap1 does not respond ?
thanks,
---
Olivier
2013/9/25 Jakub Hrozek
> On Wed, Sep 25, 2013 at 11:42:15AM +0200, Olivier wrote:
> > Hello everyone,
> >
> > I launch "authconfig" within a script to setup my redhat6 boxe
uri" parameter within sssd.conf. Could
anyone confirm that this parameter is not necessary and
where does sssd collect the list of ldap servers to query
in that case, ldap.conf ?
Thank you for any help,
Best regards,
---
Olivier
___
sssd-users ma
"openssh-lpk_openldap.schema" in openldap
2- I have configured my account in the directory to know about
"sshPublicKey" attribute, and I have inserted my key :
# ldapsearch -x -h localhost -b dc=guillard,dc=corp "(uid=olivier)"
sshPublicKey
dn: uid=olivier,dc
Ok : I found where was my mistake :
This is wrong:
> ldap_user_ssh_public_key = True
This is the right config :
ldap_user_ssh_public_key = sshPublicKey
Now it works !
Thanks to Mathieu :
http://blog.mlemoine.name/2013/04/11/centralizing-server-access.html
And all
Best,
---
Oliv
point : could anyone help ?
Here is where I am:
1- I have loaded "openssh-lpk_openldap.schema" in openldap
2- I have configured my account in the directory to know about
"sshPublicKey" attribute, and I have inserted my key :
# ldapsearch -x -h localhost -b dc=guillard,dc
27 matches
Mail list logo
