I setup sssd to login with 2 factor auth and it works fine and then I am failing to sudo with ldap even though id_provider is ldap.
Here is log from sssd_LDAP when running sudo -s
Here is relevant config
[domain/LDAP] chpass_provider = krb5 access_provider = ldap id_provider = ldap ... auth_provider = proxy proxy_pam_target = securid ..
There is no sudo_* in here
sudo -s works if I use the auth provider, which is 2FA. So it seems like sudo auth follows whatever auth_provider is set to?
Can I have ssh login with proxy as auth provider and sudo login with ldap as auth provider?
I know both ssh and sudo login works with ldap and krb5, but I need to have the ssh login with 2FA in my env.
Thanks for your help
On Tue, Oct 17, 2017 at 05:15:08PM -0400, Asif Iqbal wrote:
I setup sssd to login with 2 factor auth and it works fine and then I am failing to sudo with ldap even though id_provider is ldap.
Here is log from sssd_LDAP when running sudo -s
Here is relevant config
[domain/LDAP] chpass_provider = krb5 access_provider = ldap id_provider = ldap ... auth_provider = proxy proxy_pam_target = securid ..
There is no sudo_* in here
sudo -s works if I use the auth provider, which is 2FA. So it seems like sudo auth follows whatever auth_provider is set to?
Can I have ssh login with proxy as auth provider and sudo login with ldap as auth provider?
I know both ssh and sudo login works with ldap and krb5, but I need to have the ssh login with 2FA in my env.
Thanks for your help
The only way I can think of solving this is to configure two [domains] in sssd.conf and using fully qualified names, e.g. user@otpdomain and user@ldapdomain..
On Wed, Oct 18, 2017 at 4:10 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Oct 17, 2017 at 05:15:08PM -0400, Asif Iqbal wrote:
I setup sssd to login with 2 factor auth and it works fine and then I am failing to sudo with ldap even though id_provider is ldap.
Here is log from sssd_LDAP when running sudo -s
Here is relevant config
[domain/LDAP] chpass_provider = krb5 access_provider = ldap id_provider = ldap ... auth_provider = proxy proxy_pam_target = securid ..
There is no sudo_* in here
sudo -s works if I use the auth provider, which is 2FA. So it seems like sudo auth follows whatever auth_provider is set to?
Can I have ssh login with proxy as auth provider and sudo login with ldap as auth provider?
I know both ssh and sudo login works with ldap and krb5, but I need to
have
the ssh login with 2FA in my env.
Thanks for your help
The only way I can think of solving this is to configure two [domains] in sssd.conf and using fully qualified names, e.g. user@otpdomain and user@ldapdomain..
I know I can just skip sssd and use pam.d/sshd auth pointing to pam_securid.so and pam.d/sudo to pam_ldap. Much simpler approach. So user can still do normal unix login with securid (2FA ) credentials and then sudo with LDAP credentials.
Hopefully someday sssd will be capable to offer that.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Wed, 2017-10-18 at 05:26 -0400, Asif Iqbal wrote:
On Wed, Oct 18, 2017 at 4:10 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Oct 17, 2017 at 05:15:08PM -0400, Asif Iqbal wrote:
I setup sssd to login with 2 factor auth and it works fine and then I am failing to sudo with ldap even though id_provider is ldap.
Here is log from sssd_LDAP when running sudo -s
Here is relevant config
[domain/LDAP] chpass_provider = krb5 access_provider = ldap id_provider = ldap ... auth_provider = proxy proxy_pam_target = securid ..
There is no sudo_* in here
sudo -s works if I use the auth provider, which is 2FA. So it seems like sudo auth follows whatever auth_provider is set to?
Can I have ssh login with proxy as auth provider and sudo login with ldap as auth provider?
I know both ssh and sudo login works with ldap and krb5, but I need to
have
the ssh login with 2FA in my env.
Thanks for your help
The only way I can think of solving this is to configure two [domains] in sssd.conf and using fully qualified names, e.g. user@otpdomain and user@ldapdomain..
I know I can just skip sssd and use pam.d/sshd auth pointing to pam_securid.so and pam.d/sudo to pam_ldap. Much simpler approach. So user can still do normal unix login with securid (2FA ) credentials and then sudo with LDAP credentials.
Hopefully someday sssd will be capable to offer that.
Can you open a RFE ticket for this ?
Simo.
On Wed, Oct 18, 2017 at 8:31 AM, Simo Sorce simo@redhat.com wrote:
On Wed, 2017-10-18 at 05:26 -0400, Asif Iqbal wrote:
On Wed, Oct 18, 2017 at 4:10 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Oct 17, 2017 at 05:15:08PM -0400, Asif Iqbal wrote:
I setup sssd to login with 2 factor auth and it works fine and then I am failing to sudo with ldap even though id_provider is ldap.
Here is log from sssd_LDAP when running sudo -s
Here is relevant config
[domain/LDAP] chpass_provider = krb5 access_provider = ldap id_provider = ldap ... auth_provider = proxy proxy_pam_target = securid ..
There is no sudo_* in here
sudo -s works if I use the auth provider, which is 2FA. So it seems like sudo auth follows whatever auth_provider is set to?
Can I have ssh login with proxy as auth provider and sudo login with ldap as auth provider?
I know both ssh and sudo login works with ldap and krb5, but I need to
have
the ssh login with 2FA in my env.
Thanks for your help
The only way I can think of solving this is to configure two [domains] in sssd.conf and using fully qualified names, e.g. user@otpdomain and user@ldapdomain..
I know I can just skip sssd and use pam.d/sshd auth pointing to pam_securid.so and pam.d/sudo to pam_ldap. Much simpler approach. So user can still do normal unix login with securid (2FA ) credentials and then sudo with LDAP credentials.
Hopefully someday sssd will be capable to offer that.
Can you open a RFE ticket for this ?
Sure. Is there a link for that? Sorry I have not done that before.
Thanks
Simo.
-- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org