stefano.antonelli@cnaf via FreeIPA-users wrote: > Dear FreeIPA users > > I have a three nodes installation (version 4.6.8, CentOS 7.9.2009) and > I'm trying to manage users and hosts in order to allow them to send > emails; I've retrieved host keytab from ipa servers and configured host > krb5.conf to ipa servers; > > I've a test user on FreeIPA (or, in future, User groups) and an smtp > server (postfix; or in future Host groups) and a smtp service > smtp/hostname@REALM > > I'd like to configure an HBAC rule in order to: > > 1) allow the group of user to send email via the smtp server > 2) ban the user to send email removing him/her from the user group > > but there is something that's not working, I've made two tests (user in > User group and deleted from User group) and in both cases the user is > able to send email from his client (I attach the output of some ipa > commands) > > Beside, I've tried to add a HBAC service "smtp" (even if I do not > understand its real use, if its a "only" a tag) and a HBAC Service > group but nothing has changed. At the moment I don't realize where I'm > wrong even looking at some log files, > > thank you > cheers > Stefano > > > > ### 1 user-test in User Group > ipa hbacrule-show smtp > Rule name: smtp > Service category: all > Description: Regola di accesso ai server smtp > Enabled: TRUE > User Groups: smtp > Host Groups: smtp > > ipa user-show user-test > Member of groups: smtp > Indirect Member of HBAC rule: smtp > > ipa hbactest --user=user-test --host=host.domain --service=all > -------------------- > Access granted: True > -------------------- > Matched rules: smtp-cnaf > > ### 2 user-test deleted from User Group > > ipa hbactest --user=user-test --host=host.domain --service=all > --------------------- > Access granted: False > --------------------- > Not matched rules: smtp-cnaf
HBAC services are PAM services. If the authentication/authorization/session is going through PAM then this can work. I have some vague memory of saslauthd and postfix using PAM. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
