Looks great, thank Alexander! ----- Original Message ----- > On 26.07.2011 06:23, Alexander Bokovoy wrote: > > I'll send updated patch proposal today. > Here is new patch. > > $ ipa hbactest --help > Usage: ipa [global-options] hbactest [options] > > Options: > -h, --help show this help message and exit > --user=STR User name > --srchost=STR Source host > --host=STR Target host > --service=STR Service > --rules=LIST Rules to test. If not specified, --enabled is assumed > --detail Show which rules are passed, denied, or invalid > --enabled Include all enabled IPA rules into test [default] > --disabled Include all disabled IPA rules into test > > Following modes are implemented by the plugin given (user, source > host, > target host, service), attempt to login user coming from source host > to > target host's service: > > 1. Use all enabled HBAC rules in IPA database to simulate: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > -------------------- > Access granted: True > -------------------- > > 2. Show detailed summary of how rules were applied: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail > -------------------- > Access granted: True > -------------------- > denied: my-second-rule, my-third-rule, myrule > passed: allow_all > > 3. Test explicitly specified HBAC rules: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --rules=my-second-rule,myrule > --------------------- > Access granted: False > --------------------- > denied: my-second-rule, myrule > > 4. Use all enabled HBAC rules in IPA database + explicitly specified > rules: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --rules=my-second-rule,myrule --enabled > -------------------- > Access granted: True > -------------------- > denied: my-second-rule, my-third-rule, myrule > passed: allow_all > > 5. Test all disabled HBAC rules in IPA database: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --disabled > --------------------- > Access granted: False > --------------------- > denied: new-rule > > 6. Test all disabled HBAC rules in IPA database + explicitly specified > rules: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --rules=my-second-rule,myrule --disabled > --------------------- > Access granted: False > --------------------- > denied: my-second-rule, myrule, new-rule > > 7. Test all (enabled and disabled) HBAC rules in IPA database: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --enabled --disabled > -------------------- > Access granted: True > -------------------- > denied: my-second-rule, my-third-rule, myrule, new-rule > passed: allow_all > > > -- > / Alexander Bokovoy > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel
-- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau <jgali...@redhat.com> Principal Software QA Engineer Red Hat, Inc. Security Engineering _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel