[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-users
Subject: =?utf-8?q?=5BSSSD-users=5D?= Re: sudo trying to use proxy for auth
From: Asif Iqbal <vadud3 () gmail ! com>
Date: 2017-10-18 16:09:58
Message-ID: CAOHBbgVP+OOe29VBQrG0iai0D12mMPG5MmUqmY7Q9GT0dOTV8g () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Wed, Oct 18, 2017 at 8:31 AM, Simo Sorce <simo@redhat.com> wrote:
> On Wed, 2017-10-18 at 05:26 -0400, Asif Iqbal wrote:
> > On Wed, Oct 18, 2017 at 4:10 AM, Jakub Hrozek <jhrozek@redhat.com>
> > wrote:
> >
> > > On Tue, Oct 17, 2017 at 05:15:08PM -0400, Asif Iqbal wrote:
> > > > I setup sssd to login with 2 factor auth and it works fine and
> > > > then I am
> > > > failing to sudo with ldap even though id_provider is ldap.
> > > >
> > > > Here is log from sssd_LDAP when running sudo -s
> > > >
> > > > http://dpaste.com/36PTMS0.txt
> > > >
> > > > Here is relevant config
> > > >
> > > > [domain/LDAP]
> > > > chpass_provider = krb5
> > > > access_provider = ldap
> > > > id_provider = ldap
> > > > ...
> > > > auth_provider = proxy
> > > > proxy_pam_target = securid
> > > > ..
> > > >
> > > > There is no sudo_* in here
> > > >
> > > > sudo -s works if I use the auth provider, which is 2FA. So it
> > > > seems like
> > > > sudo auth follows whatever auth_provider is set to?
> > > >
> > > > Can I have ssh login with proxy as auth provider and sudo login
> > > > with ldap
> > > > as auth provider?
> > > >
> > > > I know both ssh and sudo login works with ldap and krb5, but I
> > > > need to
> > >
> > > have
> > > > the ssh login with 2FA in my env.
> > > >
> > > > Thanks for your help
> > >
> > > The only way I can think of solving this is to configure two
> > > [domains]
> > > in sssd.conf and using fully qualified names, e.g. user@otpdomain
> > > and
> > > user@ldapdomain..
> > >
> >
> > I know I can just skip sssd and use pam.d/sshd auth pointing to
> > pam_securid.so
> > and pam.d/sudo to pam_ldap. Much simpler approach. So user can still
> > do
> > normal unix login with securid (2FA ) credentials and then sudo with
> > LDAP
> > credentials.
> >
> > Hopefully someday sssd will be capable to offer that.
>
> Can you open a RFE ticket for this ?
>
Sure. Is there a link for that? Sorry I have not done that before.
Thanks
>
> Simo.
>
> --
> Simo Sorce
> Sr. Principal Software Engineer
> Red Hat, Inc
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
>
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
[Attachment #5 (text/html)]
<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct \
18, 2017 at 8:31 AM, Simo Sorce <span dir="ltr"><<a href="mailto:simo@redhat.com" \
target="_blank">simo@redhat.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Wed, 2017-10-18 at \
05:26 -0400, Asif Iqbal wrote:<br> > On Wed, Oct 18, 2017 at 4:10 AM, Jakub Hrozek \
<<a href="mailto:jhrozek@redhat.com">jhrozek@redhat.com</a>><br> > \
wrote:<br> ><br>
> > On Tue, Oct 17, 2017 at 05:15:08PM -0400, Asif Iqbal wrote:<br>
> > > I setup sssd to login with 2 factor auth and it works fine and<br>
> > > then I am<br>
> > > failing to sudo with ldap even though id_provider is ldap.<br>
> > ><br>
> > > Here is log from sssd_LDAP when running sudo -s<br>
> > ><br>
> > > <a href="http://dpaste.com/36PTMS0.txt" rel="noreferrer" \
target="_blank">http://dpaste.com/36PTMS0.<wbr>txt</a><br> > > ><br>
> > > Here is relevant config<br>
> > ><br>
> > > [domain/LDAP]<br>
> > > chpass_provider = krb5<br>
> > > access_provider = ldap<br>
> > > id_provider = ldap<br>
> > > ...<br>
> > > auth_provider = proxy<br>
> > > proxy_pam_target = securid<br>
> > > ..<br>
> > ><br>
> > > There is no sudo_* in here<br>
> > ><br>
> > > sudo -s works if I use the auth provider, which is 2FA. So it<br>
> > > seems like<br>
> > > sudo auth follows whatever auth_provider is set to?<br>
> > ><br>
> > > Can I have ssh login with proxy as auth provider and sudo login<br>
> > > with ldap<br>
> > > as auth provider?<br>
> > ><br>
> > > I know both ssh and sudo login works with ldap and krb5, but I<br>
> > > need to<br>
> ><br>
> > have<br>
> > > the ssh login with 2FA in my env.<br>
> > ><br>
> > > Thanks for your help<br>
> ><br>
> > The only way I can think of solving this is to configure two<br>
> > [domains]<br>
> > in sssd.conf and using fully qualified names, e.g. user@otpdomain<br>
> > and<br>
> > user@ldapdomain..<br>
> ><br>
><br>
> I know I can just skip sssd and use pam.d/sshd auth pointing to<br>
> pam_securid.so<br>
> and pam.d/sudo to pam_ldap. Much simpler approach. So user can still<br>
> do<br>
> normal unix login with securid (2FA ) credentials and then sudo with<br>
> LDAP<br>
> credentials.<br>
><br>
> Hopefully someday sssd will be capable to offer that.<br>
<br>
</div></div>Can you open a RFE ticket for this \
?<br></blockquote><div><br></div><div>Sure. Is there a link for that? Sorry I have \
not done that before.</div><div><br></div><div>Thanks</div><div> </div><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <span class="HOEnZb"><font color="#888888"><br>
Simo.<br>
<br>
--<br>
Simo Sorce<br>
Sr. Principal Software Engineer<br>
Red Hat, Inc<br>
</font></span><div class="HOEnZb"><div \
class="h5">______________________________<wbr>_________________<br> sssd-users \
mailing list -- <a href="mailto:sssd-users@lists.fedorahosted.org">sssd-users@lists.fedorahosted.<wbr>org</a><br>
To unsubscribe send an email to <a \
href="mailto:sssd-users-leave@lists.fedorahosted.org">sssd-users-leave@lists.<wbr>fedorahosted.org</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div \
class="gmail_signature" data-smartmail="gmail_signature">Asif Iqbal<br>PGP Key: \
0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" \
target="_blank">pgp.mit.edu</a><br>A: Because it messes up the order in which people \
normally read text.<br>Q: Why is top-posting such a bad thing?<br><br></div> \
</div></div>
[Attachment #6 (text/plain)]
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic