1) Create an HBAC Rule or rules: choose allow or deny 2) add users/usergroups to the rule 3) add hosts/hostgroups to the rule 4) disable the default 'allow all' rule
Now any system that has SSSD 1.5 will enforce those HBAC rules. For systems that do not support sssd, I have been working on a proof of concept authorization module for HBAC written in python. -JR On Jun 13, 2011, at 5:32 PM, Steven Jones wrote: > Hi, > > Ive seen/read it.....and I have a hard copy on my desk in front of me right > now.... > > I find it typical of such documents, it has lots of sections in great detail > but it doesnt tell you how to achieve anything end to end....and often its > gives you written instructions on visual tasks so if you are not in the right > bit of the gui you go nowhere.....So it needs far more screenshots and > wizards.... > > regards > ________________________________________ > From: JR Aquino [jr.aqu...@citrix.com] > Sent: Tuesday, 14 June 2011 11:53 a.m. > To: Steven Jones > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop > users logging into hosts? > > On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: > >> I have put 3 clients into a netgroup and added a user, however when I remove >> the user from the netgroup the user can still login! Even if the user wasnt >> ever in teh netgroup they can login.... >> >> So how do I stop that? >> >> When will we see some documentation on doing user admin tasks like this? > > Have a look at this: > > http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
