Currently ipsilon-server-install --pam-service and --form-service default to "remote", which is a PAM service used by other stuff on Linux. Instead it should default to "ipsilon".
This is especially important when using HBAC with freeIPA with allow_all disabled (as everyone should do). In such as configuration, here is the freeIPA ipsilon HBAC configuration:
ipa hbacrule-add --usercat=all --hostcat=idp.example.com --servicecat=ipsilon --desc="All users can use ipsilon IdP" ipa hbacsvc-add ipsilon --desc="ipsilon IdP" ipa hbacrule-add-service allow_ipsilon --hbacsvcs=ipsilon ipa hbacrule-add-host allow_ipsilon --hosts=idp.example.com
A pam service ipsilon also needs to be created/provided on the IdP to provide the ipsilon service. This should match the contents of the pam remote service.
Fields changed
milestone: => 1.2
What package does provide that --pam-service option? I use ipsilon-1.0.0-11.el7.noarch, I have pretty much everything ipsilon-related installed, but
ipsilon-server-install --help | grep pam
does not list it.
As a matter of fact, when I use
--form yes --gssapi yes
the /etc/ipsilon/idp/idp.conf gets configured with
InterceptFormPAMService remote
but with
AuthType GSSAPI Require valid-user
So it looks like, --gssapi should be changed to start using mod_authnz_pam's
require pam-account remote
first.
Should I file new ticket for that?
Replying to [comment:3 adelton]:
What package does provide that --pam-service option? I use ipsilon-1.0.0-11.el7.noarch, I have pretty much everything ipsilon-related installed, but ipsilon-server-install --help | grep pam
It is provided by the package ipsilon-authpam
As a matter of fact, when I use --form yes --gssapi yes the /etc/ipsilon/idp/idp.conf gets configured with InterceptFormPAMService remote but with AuthType GSSAPI Require valid-user So it looks like, --gssapi should be changed to start using mod_authnz_pam's require pam-account remote first. Should I file new ticket for that?
I think both cases can be covered by this ticket.
I suggest we don't worry about upgrade cases and just focus on new installs for this feature.
owner: => jdennis status: new => assigned
patch_available: 0 => 1
This has been merged with 174823c
resolution: => fixed status: assigned => closed
Metadata Update from @puiterwijk: - Issue assigned to jdennis - Issue set to the milestone: 1.2
Login to comment on this ticket.