Ipsilon, HBAC and the pam service

By default Ipsilon configures pam to authenticate using the remote service. This is at least in part because remote already exists on most systems and was easier to setup during initial development.

We see now that an Ipsilon-specific pam service should be used instead. This can be done pretty easily by using the remote service as a template. This will likely be the basis of the Ipsilon-provided service, https://fedorahosted.org/ipsilon/ticket/176

If you are using IPA HBAC then regardless of the service you’ll need to ensure that the users that you want to be able to use Federation have access to the configured pam service on the Ipsilon IdP host. It becomes clear pretty quickly when used with HBAC why a separate Ipsilon-specific pam service is desirable.

One thought on “Ipsilon, HBAC and the pam service”

  1. the local configuration of a couple of subsystems including sssd can be set up to point to a FreeIPA server. It also creates a host record on the server, making it possible to add services and get their Kerberos keytab.

Leave a Reply