Thanks for the info. Unfortunately my version doesn’t have it, but googling I found
this:
https://bugzilla.redhat.com/show_bug.cgi?id=1348585
In my version is used 'remote' service.
Thanks & Regards.
-----Original Message-----
From: Alexander Bokovoy <abokovoy(a)redhat.com>
Sent: Wednesday, July 11, 2018 14:08
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Rob Crittenden <rcritten(a)redhat.com>; SOLER SANGUESA Miguel
<solerm(a)unicc.org>
Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion
On ke, 11 heinä 2018, SOLER SANGUESA Miguel via FreeIPA-users wrote:
I have added the service on IPA and changed on the HBAC rule form
"any
service" to "ipsilon", but now I can not login on ipsilon. Also I've
checked that there is no '/etc/pam.d/ipsilon' file.
On my Ipsilon server (based on Fedora 27) I have:
# rpm -qf /etc/pam.d/ipsilon
ipsilon-base-2.0.2-6.fc27.noarch
# cat /etc/pam.d/ipsilon
#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user
context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
Thanks & Regards.
-----Original Message-----
From: Alexander Bokovoy <abokovoy(a)redhat.com>
Sent: Tuesday, July 10, 2018 15:31
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: SOLER SANGUESA Miguel <solerm(a)unicc.org>; Rob Crittenden
<rcritten(a)redhat.com>
Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services
where is used Ipsion
On ti, 10 heinä 2018, Rob Crittenden via FreeIPA-users wrote:
>SOLER SANGUESA Miguel via FreeIPA-users wrote:
>>Hello,
>>
>>RHEL 7.5 with IPA server 4.5.4
>>
>>RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL
>>repositories (v1.0.0) and added manually patch:
>>https://pagure.io/ipsilon/pull-request/44#request_diff
>>
>>I have configured Jira with the plugin for SAML2 (SAML Single Sign On
>>(SSO) Jira, SAML/SSO
>><https://marketplace.atlassian.com/apps/1212130/saml-single-sign-on-s
>>s
>>o-jira-saml-sso>) and it works fine, when I try to login on Jira I’m
>>redirected to Ipsilon server and when I put user/pass (using IPA
>>user) I log in.
>>
>>My problem is that I don’t know how to configure which users can log
>>in on the service. Right now all users able to login on the Ipsilon
>>server via “any service” can login.
>>
>>On Jira side I can create the users manually and configure that just
>>existing users can log in, but I would prefer not to manage users on
>>the service provider side.
>>
>>Also I want to add more services to Ipsilon, so not all users allowed
>>to log in on Ipsilon should log in on all services.
>>
>>If I can create a pam service for any of the services managed by
>>ipsilon, it would be perfect, as I could create HBAC rules for any
>>service and authorization would be manage just on IPA.
>>
>>Can anyone explain or give some documentation about this?
>
>I forget what pam service is used by Ipsilon by default. I'd suggest
>you ask on the ipsilon mailing list or in #ipsilon on freenode.
It is 'ipsilon'.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedor
ahosted.org/message/C43VGBU2HELLOTQR2FMYB4UIG4JKZP4L/
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering Red Hat Limited, Finland