Hello,
Could you please be so kind provide me advice how to setup HBAC rule to allow user authentication/authorization to web service but not to server where this web run.
Our ipa runs at Centos 7.5.1804, version of IPA 4.5.4, API_VERSION: 2.228.
Web service runs at Ubuntu 16.06.5 LTS on Apache2.
In Apache configuration is setup kerberos authentication and authorization is directed to pam_sss.so SSSD module which we use for server login. <Location /> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbAuthoritative On KrbMethodK5Passwd Off KrbServiceName HTTP/web_server.domain.com KrbAuthRealms DOMAIN.COM Krb5KeyTab /etc/apache2/http-web_server.keytab KrbVerifyKDC Off KrbSaveCredentials On KrbLocalUserMapping On Require pam-account crm-production </Location>
/etc/pam.d/crm-production: auth required pam_sss.so # pam_sss.so for SSSD account required pam_sss.so # or other PAM module
----------------------------------------------------------------------- HBAC rule with bellow setting works but it allow any service. Specified User and Groups * testuser
Specified Hosts and Groups * web_server.domain.com
Any Service
How can I tell in HBAC rule to allow only HTTP/web_server.domain.com?
Thank you.
With kind regards, Jan Gardian
On ti, 28 elo 2018, Jan Gardian via FreeIPA-users wrote:
Hello,
Could you please be so kind provide me advice how to setup HBAC rule to allow user authentication/authorization to web service but not to server where this web run.
Our ipa runs at Centos 7.5.1804, version of IPA 4.5.4, API_VERSION: 2.228.
Web service runs at Ubuntu 16.06.5 LTS on Apache2.
In Apache configuration is setup kerberos authentication and authorization is directed to pam_sss.so SSSD module which we use for server login. <Location /> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbAuthoritative On KrbMethodK5Passwd Off KrbServiceName HTTP/web_server.domain.com KrbAuthRealms DOMAIN.COM Krb5KeyTab /etc/apache2/http-web_server.keytab KrbVerifyKDC Off KrbSaveCredentials On KrbLocalUserMapping On Require pam-account crm-production </Location>
/etc/pam.d/crm-production: auth required pam_sss.so # pam_sss.so for SSSD account required pam_sss.so # or other PAM module
HBAC rule with bellow setting works but it allow any service. Specified User and Groups
- testuser
Specified Hosts and Groups
- web_server.domain.com
Any Service
How can I tell in HBAC rule to allow only HTTP/web_server.domain.com?
Did you disable allow_all HBAC rule? That rule allows access to any service on any machine by default. You'd need to create specific rules for specific users/groups/hosts/services when allow_all rule is disabled.
Hello Alexander,
Thanks for help. I found that I have to name pam.d service with same name as HBAC service in IPA and it works. My mistake when reading documentation.
With kind regards, Jan Gardian
On 08/28/2018 05:44 PM, Alexander Bokovoy wrote:
On ti, 28 elo 2018, Jan Gardian via FreeIPA-users wrote:
Hello,
Could you please be so kind provide me advice how to setup HBAC rule to allow user authentication/authorization to web service but not to server where this web run.
Our ipa runs at Centos 7.5.1804, version of IPA 4.5.4, API_VERSION: 2.228.
Web service runs at Ubuntu 16.06.5 LTS on Apache2.
In Apache configuration is setup kerberos authentication and authorization is directed to pam_sss.so SSSD module which we use for server login. <Location /> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbAuthoritative On KrbMethodK5Passwd Off KrbServiceName HTTP/web_server.domain.com KrbAuthRealms DOMAIN.COM Krb5KeyTab /etc/apache2/http-web_server.keytab KrbVerifyKDC Off KrbSaveCredentials On KrbLocalUserMapping On Require pam-account crm-production </Location>
/etc/pam.d/crm-production: auth required pam_sss.so # pam_sss.so for SSSD account required pam_sss.so # or other PAM module
HBAC rule with bellow setting works but it allow any service. Specified User and Groups
- testuser
Specified Hosts and Groups
- web_server.domain.com
Any Service
How can I tell in HBAC rule to allow only HTTP/web_server.domain.com?
Did you disable allow_all HBAC rule? That rule allows access to any service on any machine by default. You'd need to create specific rules for specific users/groups/hosts/services when allow_all rule is disabled.
On ke, 29 elo 2018, Jan Gardian via FreeIPA-users wrote:
Hello Alexander,
Thanks for help. I found that I have to name pam.d service with same name as HBAC service in IPA and it works. My mistake when reading documentation.
Glad that you got it working.
Yes, HBAC service name is the PAM service name in the context of a system authorization when pam_sss.so does the check.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Jan Gardian