I was curious if there is something built in to FreeIPA (4.5.0 on CentOS) as a
whole or if someone has created scripts or the like that perform access rights
lookups without doing the typical hbac rule lookups which requires user -> host
-> service (as far as I know), where those things are required to actually
perform the access granted/denied test. Basically, what I'm trying to figure
out is there a way to pick a host for example, and get a list of who can access
the system on a specific service (or any service for that matter).
The reason I ask is I'm trying to figure out how to properly perform "audits"
at my place of work, ie for PCI and SOX. And as far as I can tell, there's no
easy way to do this when we have for example, two HBAC policies that allow all
hosts (so there's no "member" attributes on the directory objects, just
hostCategory all) and then majority of the policies are using groups rather
than specific individuals, so I'd have to get a list of all of the users,
including the ones that are in AD across the trust.
If there isn't something like this built in, has someone done something like
this before? I'd like to try to avoid rolling my own solution if possible, but
if I had to roll my own solution, I could use some advisement or hints on
something like this.
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org