Hello,
Could you please be so kind provide me advice how to setup HBAC rule to
allow user authentication/authorization to web service but not to server
where this web run.
Our ipa runs at Centos 7.5.1804, version of IPA 4.5.4, API_VERSION: 2.228.
Web service runs at Ubuntu 16.06.5 LTS on Apache2.
In Apache configuration is setup kerberos authentication and
authorization is directed to pam_sss.so SSSD module which we use for
server login.
<Location />
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbAuthoritative On
KrbMethodK5Passwd Off
KrbServiceName HTTP/web_server.domain.com
KrbAuthRealms
DOMAIN.COM
Krb5KeyTab
/etc/apache2/http-web_server.keytab
KrbVerifyKDC Off
KrbSaveCredentials On
KrbLocalUserMapping On
Require pam-account crm-production
</Location>
/etc/pam.d/crm-production:
auth required pam_sss.so # pam_sss.so for SSSD
account required pam_sss.so # or other PAM module
-----------------------------------------------------------------------
HBAC rule with bellow setting works but it allow any service.
Specified User and Groups
* testuser
Specified Hosts and Groups
*
web_server.domain.com
Any Service
How can I tell in HBAC rule to allow only HTTP/web_server.domain.com?
Thank you.
With kind regards,
Jan Gardian