I was curious if there is something built in to FreeIPA (4.5.0 on CentOS) as a 
whole or if someone has created scripts or the like that perform access rights 
lookups without doing the typical hbac rule lookups which requires user -> host 
-> service (as far as I know), where those things are required to actually 
perform the access granted/denied test. Basically, what I'm trying to figure 
out is there a way to pick a host for example, and get a list of who can access 
the system on a specific service (or any service for that matter). 

The reason I ask is I'm trying to figure out how to properly perform "audits" 
at my place of work, ie for PCI and SOX. And as far as I can tell, there's no 
easy way to do this when we have for example, two HBAC policies that allow all 
hosts (so there's no "member" attributes on the directory objects, just 
hostCategory all) and then majority of the policies are using groups rather 
than specific individuals, so I'd have to get a list of all of the users, 
including the ones that are in AD across the trust.

If there isn't something like this built in, has someone done something like 
this before? I'd like to try to avoid rolling my own solution if possible, but 
if I had to roll my own solution, I could use some advisement or hints on 
something like this.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to