Hi, 1) HBAC update, Ive never seen a delay.....so seems to be a few seconds.....so Im not sure why you ned to restart sssd.
2) I also I think have asked on that.....not sure what you are aiming to achieve/mean....with having no kdc / ldap stores. I'd like a read only slave capability for out in the dmz...and possibly only export certain groups from the read/write out to the slave....but maybe Im being overly paranoid....but I think AD2008r2? can do that. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: [email protected] [[email protected]] on behalf of Cam McK [[email protected]] Sent: Friday, 8 June 2012 1:22 p.m. To: [email protected] Subject: [Freeipa-users] HBAC rule refreshes and read-only slaves Hello Thanks for an awesome product! I have two questions that I can't seem to find answers for... 1). How long is the delay between changing a HBAC rule and it coming into affect on the host machine? Currently this information only seems to be updated on the host after an 'service sssd reload/restart' also are the HBAC access rules are stored within LDAP Directory? 2). We would also like to use FreeIPA in a trusted network but then have perhaps a read-only slave sitting in DMZ with the possibility of not containing the KDC or LDAP password stores on it, is this possible? (Basically authentication being done by a different PAM module, but pam_sss.so still allowing HBAC via the PAM 'account' directive.) Is it possible to have a 'regular' LDAP directory (in the DMZ) just slurping down the required LDAP info? Many Thanks Campbell
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
