Hello SSSD guru`s!
Is there anyone have such experience? There may be some recommendations or instructions?
On Thu, Oct 20, 2016 at 11:14:10AM -0000, Aleksey Maksimov wrote:
Hello SSSD guru`s!
Is there anyone have such experience? There may be some recommendations or instructions?
Jan (CC) might have some tricks up his sleeve..
Where can I learn about these tricks?
Just use mod_auth_kerb or (better) mod_auth_gssapi In terms of authentication, SSSD is not really needed here...
-----Original Message----- From: Aleksey Maksimov [mailto:aleksey.maksimov@it-kb.ru] Sent: Thursday, October 20, 2016 1:14 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Apache web server and Active Directory domain authorization with SSSD (with SSO)
Hello SSSD guru`s!
Is there anyone have such experience? There may be some recommendations or instructions? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
Just curious to try. No chance for SSSD in this matter ? :)
On Thu, Oct 20, 2016 at 11:14:10AM -0000, Aleksey Maksimov wrote:
Hello SSSD guru`s!
Is there anyone have such experience? There may be some recommendations or instructions?
With the use of mod_authnz_pam
https://www.adelton.com/apache/mod_authnz_pam/
and Require pam-account pam_service_name, with PAM service configured to use pam_sss.so, you get SSSD invoked for authorization.
You can then configure SSSD any way it suits your environment -- use GPOs, or potentially HBAC if you have trust setup with IPA server.
More information about this setup (though not talking about AD specifically) can be found at
https://www.freeipa.org/page/Web_App_Authentication
Hope this helps,
Jan Pazdziora wrote:
More information about this setup (though not talking about AD specifically) can be found at
Are there any modules already setting the env vars proposed here:
https://www.freeipa.org/page/Environment_Variables#Proposed_Additional_Varia...
Ciao, Michael.
On Thu, Oct 20, 2016 at 05:17:25PM +0200, Michael Ströder wrote:
Jan Pazdziora wrote:
More information about this setup (though not talking about AD specifically) can be found at
Are there any modules already setting the env vars proposed here:
https://www.freeipa.org/page/Environment_Variables#Proposed_Additional_Varia...
Module mod_lookup_identity
https://www.adelton.com/apache/mod_lookup_identity/
is able to retrieve information from SSSD and populate some of the environment variables.
Thank You, Jan. It works. I wrote about my experience setting up SSSD with Apache in blog: https://blog.it-kb.ru/2016/10/26/configuring-basic-and-kerberos-authenticati...
sssd-users@lists.fedorahosted.org
-
Aleksey Maksimov -
Jakub Hrozek -
Jan Pazdziora -
Michael Ströder -
Ondrej Valousek