Hmm,

So whats the default rule?  can i set precedence? is there any?

Example.

So Ive disabled the allow_all rule, I made a deny_all rule and then a rule to 
allow specific user groups to login to specific hostgroups servers....that 
didnt work...

So I disabled the deny_all rule and users in the specific group can login to 
the specific server, and if I remove them from the user group they cannot 
login, so OK good BUT the trouble is a second user that is in no groups at all 
can also login to the servers, which shouldn't occur...or at least I odnt want 
that to occur...so something is set incorrectly.

Is there a way to "suck out" the HBAC rules or whatever info for  the user at 
the command line?  I certainly cant find why that second user can login, it 
should not be able to, but it can.

regards


________________________________________
From: JR Aquino [jr.aqu...@citrix.com]
Sent: Tuesday, 14 June 2011 1:10 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users 
logging into hosts?

1) Create an HBAC Rule or rules: choose allow or deny
2) add users/usergroups to the rule
3) add hosts/hostgroups to the rule
4) disable the default 'allow all' rule

Now any system that has SSSD 1.5 will enforce those HBAC rules.

For systems that do not support sssd, I have been working on a proof of concept 
authorization module for HBAC written in python.

-JR

On Jun 13, 2011, at 5:32 PM, Steven Jones wrote:

> Hi,
>
> Ive seen/read it.....and I have a hard copy on my desk in front of me right 
> now....
>
> I find it typical of such documents, it has lots of sections in great detail 
> but it doesnt tell you how to achieve anything end to end....and often its 
> gives you written instructions on visual tasks so if you are not in the right 
> bit of the gui you go nowhere.....So it needs far more screenshots and 
> wizards....
>
> regards
> ________________________________________
> From: JR Aquino [jr.aqu...@citrix.com]
> Sent: Tuesday, 14 June 2011 11:53 a.m.
> To: Steven Jones
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop 
> users logging into hosts?
>
> On Jun 13, 2011, at 4:43 PM, Steven Jones wrote:
>
>> I have put 3 clients into a netgroup and added a user, however when I remove 
>> the user from the netgroup the user can still login! Even if the user wasnt 
>> ever in teh netgroup they can login....
>>
>> So how do I stop that?
>>
>> When will we see some documentation on doing user admin tasks like this?
>
> Have a look at this:
>
> http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to