On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
On 2017-09-28 11:37, Alexander Bokovoy wrote:
You need to define HBAC rules that target system-auth PAM service on
this host then.

But yes, any practical PAM service would work as long as you have
appropriate HBAC rules for this service.

Is an HBAC Service in IPA the counterpart to the PAM file on an ipa client residing in /etc/pam.d/ ?
Yes. You can always get help by running 'ipa help <topic>' command:

-------------------------------------------------------------
$ ipa help hbacsvc
HBAC Services

The PAM services that HBAC can control access to. The name used here
must match the service name that PAM is evaluating.

EXAMPLES:

Add a new HBAC service:
  ipa hbacsvc-add tftp

Modify an existing HBAC service:
  ipa hbacsvc-mod --desc="TFTP service" tftp

Search for HBAC services. This example will return two results, the FTP
service and the newly-added tftp service:
  ipa hbacsvc-find ftp

Delete an HBAC service:
  ipa hbacsvc-del tftp

Topic commands:
 hbacsvc-add   Add a new HBAC service.
 hbacsvc-del   Delete an existing HBAC service.
 hbacsvc-find  Search for HBAC services.
 hbacsvc-mod   Modify an HBAC service.
 hbacsvc-show  Display information about an HBAC service.

To get command help, use:
 ipa <command> --help
-------------------------------------------------------------

There is also a section in the documentation:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/hbac-add-service.html
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to