Hello,
RHEL 7.5 with IPA server 4.5.4 RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL repositories (v1.0.0) and added manually patch: https://pagure.io/ipsilon/pull-request/44#request_diff
I have configured Jira with the plugin for SAML2 (SAML Single Sign On (SSO) Jira, SAML/SSOhttps://marketplace.atlassian.com/apps/1212130/saml-single-sign-on-sso-jira-saml-sso) and it works fine, when I try to login on Jira I'm redirected to Ipsilon server and when I put user/pass (using IPA user) I log in.
My problem is that I don't know how to configure which users can log in on the service. Right now all users able to login on the Ipsilon server via "any service" can login. On Jira side I can create the users manually and configure that just existing users can log in, but I would prefer not to manage users on the service provider side. Also I want to add more services to Ipsilon, so not all users allowed to log in on Ipsilon should log in on all services.
If I can create a pam service for any of the services managed by ipsilon, it would be perfect, as I could create HBAC rules for any service and authorization would be manage just on IPA. Can anyone explain or give some documentation about this?
Thanks & Regards. ______________________________
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
RHEL 7.5 with IPA server 4.5.4
RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL repositories (v1.0.0) and added manually patch: https://pagure.io/ipsilon/pull-request/44#request_diff
I have configured Jira with the plugin for SAML2 (SAML Single Sign On (SSO) Jira, SAML/SSO https://marketplace.atlassian.com/apps/1212130/saml-single-sign-on-sso-jira-saml-sso) and it works fine, when I try to login on Jira I’m redirected to Ipsilon server and when I put user/pass (using IPA user) I log in.
My problem is that I don’t know how to configure which users can log in on the service. Right now all users able to login on the Ipsilon server via “any service” can login.
On Jira side I can create the users manually and configure that just existing users can log in, but I would prefer not to manage users on the service provider side.
Also I want to add more services to Ipsilon, so not all users allowed to log in on Ipsilon should log in on all services.
If I can create a pam service for any of the services managed by ipsilon, it would be perfect, as I could create HBAC rules for any service and authorization would be manage just on IPA.
Can anyone explain or give some documentation about this?
I forget what pam service is used by Ipsilon by default. I'd suggest you ask on the ipsilon mailing list or in #ipsilon on freenode.
rob
On ti, 10 heinä 2018, Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
RHEL 7.5 with IPA server 4.5.4
RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL repositories (v1.0.0) and added manually patch: https://pagure.io/ipsilon/pull-request/44#request_diff
I have configured Jira with the plugin for SAML2 (SAML Single Sign On (SSO) Jira, SAML/SSO https://marketplace.atlassian.com/apps/1212130/saml-single-sign-on-sso-jira-saml-sso) and it works fine, when I try to login on Jira I’m redirected to Ipsilon server and when I put user/pass (using IPA user) I log in.
My problem is that I don’t know how to configure which users can log in on the service. Right now all users able to login on the Ipsilon server via “any service” can login.
On Jira side I can create the users manually and configure that just existing users can log in, but I would prefer not to manage users on the service provider side.
Also I want to add more services to Ipsilon, so not all users allowed to log in on Ipsilon should log in on all services.
If I can create a pam service for any of the services managed by ipsilon, it would be perfect, as I could create HBAC rules for any service and authorization would be manage just on IPA.
Can anyone explain or give some documentation about this?
I forget what pam service is used by Ipsilon by default. I'd suggest you ask on the ipsilon mailing list or in #ipsilon on freenode.
It is 'ipsilon'.
I have added the service on IPA and changed on the HBAC rule form "any service" to "ipsilon", but now I can not login on ipsilon. Also I've checked that there is no '/etc/pam.d/ipsilon' file.
Thanks & Regards.
-----Original Message----- From: Alexander Bokovoy abokovoy@redhat.com Sent: Tuesday, July 10, 2018 15:31 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org; Rob Crittenden rcritten@redhat.com Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion
On ti, 10 heinä 2018, Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
RHEL 7.5 with IPA server 4.5.4
RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL repositories (v1.0.0) and added manually patch: https://pagure.io/ipsilon/pull-request/44#request_diff
I have configured Jira with the plugin for SAML2 (SAML Single Sign On (SSO) Jira, SAML/SSO https://marketplace.atlassian.com/apps/1212130/saml-single-sign-on-ss o-jira-saml-sso) and it works fine, when I try to login on Jira I’m redirected to Ipsilon server and when I put user/pass (using IPA user) I log in.
My problem is that I don’t know how to configure which users can log in on the service. Right now all users able to login on the Ipsilon server via “any service” can login.
On Jira side I can create the users manually and configure that just existing users can log in, but I would prefer not to manage users on the service provider side.
Also I want to add more services to Ipsilon, so not all users allowed to log in on Ipsilon should log in on all services.
If I can create a pam service for any of the services managed by ipsilon, it would be perfect, as I could create HBAC rules for any service and authorization would be manage just on IPA.
Can anyone explain or give some documentation about this?
I forget what pam service is used by Ipsilon by default. I'd suggest you ask on the ipsilon mailing list or in #ipsilon on freenode.
It is 'ipsilon'.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ke, 11 heinä 2018, SOLER SANGUESA Miguel via FreeIPA-users wrote:
I have added the service on IPA and changed on the HBAC rule form "any service" to "ipsilon", but now I can not login on ipsilon. Also I've checked that there is no '/etc/pam.d/ipsilon' file.
On my Ipsilon server (based on Fedora 27) I have:
# rpm -qf /etc/pam.d/ipsilon ipsilon-base-2.0.2-6.fc27.noarch
# cat /etc/pam.d/ipsilon #%PAM-1.0 auth substack password-auth auth include postlogin account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin
Thanks & Regards.
-----Original Message----- From: Alexander Bokovoy abokovoy@redhat.com Sent: Tuesday, July 10, 2018 15:31 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org; Rob Crittenden rcritten@redhat.com Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion
On ti, 10 heinä 2018, Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
RHEL 7.5 with IPA server 4.5.4
RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL repositories (v1.0.0) and added manually patch: https://pagure.io/ipsilon/pull-request/44#request_diff
I have configured Jira with the plugin for SAML2 (SAML Single Sign On (SSO) Jira, SAML/SSO https://marketplace.atlassian.com/apps/1212130/saml-single-sign-on-ss o-jira-saml-sso) and it works fine, when I try to login on Jira I’m redirected to Ipsilon server and when I put user/pass (using IPA user) I log in.
My problem is that I don’t know how to configure which users can log in on the service. Right now all users able to login on the Ipsilon server via “any service” can login.
On Jira side I can create the users manually and configure that just existing users can log in, but I would prefer not to manage users on the service provider side.
Also I want to add more services to Ipsilon, so not all users allowed to log in on Ipsilon should log in on all services.
If I can create a pam service for any of the services managed by ipsilon, it would be perfect, as I could create HBAC rules for any service and authorization would be manage just on IPA.
Can anyone explain or give some documentation about this?
I forget what pam service is used by Ipsilon by default. I'd suggest you ask on the ipsilon mailing list or in #ipsilon on freenode.
It is 'ipsilon'.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Thanks for the info. Unfortunately my version doesn’t have it, but googling I found this: https://bugzilla.redhat.com/show_bug.cgi?id=1348585
In my version is used 'remote' service.
Thanks & Regards.
-----Original Message----- From: Alexander Bokovoy abokovoy@redhat.com Sent: Wednesday, July 11, 2018 14:08 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Rob Crittenden rcritten@redhat.com; SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion
On ke, 11 heinä 2018, SOLER SANGUESA Miguel via FreeIPA-users wrote:
I have added the service on IPA and changed on the HBAC rule form "any service" to "ipsilon", but now I can not login on ipsilon. Also I've checked that there is no '/etc/pam.d/ipsilon' file.
On my Ipsilon server (based on Fedora 27) I have:
# rpm -qf /etc/pam.d/ipsilon ipsilon-base-2.0.2-6.fc27.noarch
# cat /etc/pam.d/ipsilon #%PAM-1.0 auth substack password-auth auth include postlogin account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin
Thanks & Regards.
-----Original Message----- From: Alexander Bokovoy abokovoy@redhat.com Sent: Tuesday, July 10, 2018 15:31 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org; Rob Crittenden rcritten@redhat.com Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion
On ti, 10 heinä 2018, Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
RHEL 7.5 with IPA server 4.5.4
RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL repositories (v1.0.0) and added manually patch: https://pagure.io/ipsilon/pull-request/44#request_diff
I have configured Jira with the plugin for SAML2 (SAML Single Sign On (SSO) Jira, SAML/SSO https://marketplace.atlassian.com/apps/1212130/saml-single-sign-on-s s o-jira-saml-sso) and it works fine, when I try to login on Jira I’m redirected to Ipsilon server and when I put user/pass (using IPA user) I log in.
My problem is that I don’t know how to configure which users can log in on the service. Right now all users able to login on the Ipsilon server via “any service” can login.
On Jira side I can create the users manually and configure that just existing users can log in, but I would prefer not to manage users on the service provider side.
Also I want to add more services to Ipsilon, so not all users allowed to log in on Ipsilon should log in on all services.
If I can create a pam service for any of the services managed by ipsilon, it would be perfect, as I could create HBAC rules for any service and authorization would be manage just on IPA.
Can anyone explain or give some documentation about this?
I forget what pam service is used by Ipsilon by default. I'd suggest you ask on the ipsilon mailing list or in #ipsilon on freenode.
It is 'ipsilon'.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedor ahosted.org/message/C43VGBU2HELLOTQR2FMYB4UIG4JKZP4L/
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Also for the last version 2.1.0 I realized that can be created with this: cp templates/install/pam/ipsilon.pamd /etc/pam.d/ipsilon
Thanks & Regards. ______________________________
-----Original Message----- From: Alexander Bokovoy abokovoy@redhat.com Sent: Wednesday, July 11, 2018 14:08 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Rob Crittenden rcritten@redhat.com; SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion
On ke, 11 heinä 2018, SOLER SANGUESA Miguel via FreeIPA-users wrote:
I have added the service on IPA and changed on the HBAC rule form "any service" to "ipsilon", but now I can not login on ipsilon. Also I've checked that there is no '/etc/pam.d/ipsilon' file.
On my Ipsilon server (based on Fedora 27) I have:
# rpm -qf /etc/pam.d/ipsilon ipsilon-base-2.0.2-6.fc27.noarch
# cat /etc/pam.d/ipsilon #%PAM-1.0 auth substack password-auth auth include postlogin account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin
Thanks & Regards.
-----Original Message----- From: Alexander Bokovoy abokovoy@redhat.com Sent: Tuesday, July 10, 2018 15:31 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org; Rob Crittenden rcritten@redhat.com Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion
On ti, 10 heinä 2018, Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
RHEL 7.5 with IPA server 4.5.4
RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL repositories (v1.0.0) and added manually patch: https://pagure.io/ipsilon/pull-request/44#request_diff
I have configured Jira with the plugin for SAML2 (SAML Single Sign On (SSO) Jira, SAML/SSO https://marketplace.atlassian.com/apps/1212130/saml-single-sign-on-s s o-jira-saml-sso) and it works fine, when I try to login on Jira I’m redirected to Ipsilon server and when I put user/pass (using IPA user) I log in.
My problem is that I don’t know how to configure which users can log in on the service. Right now all users able to login on the Ipsilon server via “any service” can login.
On Jira side I can create the users manually and configure that just existing users can log in, but I would prefer not to manage users on the service provider side.
Also I want to add more services to Ipsilon, so not all users allowed to log in on Ipsilon should log in on all services.
If I can create a pam service for any of the services managed by ipsilon, it would be perfect, as I could create HBAC rules for any service and authorization would be manage just on IPA.
Can anyone explain or give some documentation about this?
I forget what pam service is used by Ipsilon by default. I'd suggest you ask on the ipsilon mailing list or in #ipsilon on freenode.
It is 'ipsilon'.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedor ahosted.org/message/C43VGBU2HELLOTQR2FMYB4UIG4JKZP4L/
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org