Thanks, Rob. I was considering something like that. I was thinking of each host running thru the users, filtering a bit by groups, for access to that host. This would be, as suggested, run no more than once daily, overnight.
______________________________________________________________________________________________ Daniel E. White [email protected]<mailto:[email protected]> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: Rob Crittenden <[email protected]> Date: Friday, December 27, 2019 at 21:33 To: FreeIPA users list <[email protected]> Cc: Daniel White <[email protected]> Subject: [EXTERNAL] Re: [Freeipa-users] Looking for a way to get a list of users that can log in to a server White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Ideally, a command/script I can run on each host that outputs a list of users that can log in to that host. I found this: FreeIPA Issue #7199 [RFE] Central report that will show who can access which systems (attestation) https://pagure.io/freeipa/issue/7199 and followed it upstream to this BugZilla Bug 1492993 - [RFE] Central report that will show who can access which systems (attestation) https://bugzilla.redhat.com/show_bug.cgi?id=1492993 which says it is targeted for RHEL 8 ! I wouldn't read too much into that, it mostly just says that it has no chance of making it into RHEL 7. Is there any way to do this in the meantime ? I can get a list of users, but how do I get to the HBAC rules to filter them ? There is no way now other than running hbac-test iteratively for all your users and hosts. It'd be quite resource-intensive and I imagine slow depending on the number of hosts and users, something to run over night I imagine. You might be able to be clever about it depending on your rules if you know, for instance, that a certain set of hosts don't allow ssh access (or is limited to a single group). rob
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
