Hmm, So whats the default rule? can i set precedence? is there any?
Example. So Ive disabled the allow_all rule, I made a deny_all rule and then a rule to allow specific user groups to login to specific hostgroups servers....that didnt work... So I disabled the deny_all rule and users in the specific group can login to the specific server, and if I remove them from the user group they cannot login, so OK good BUT the trouble is a second user that is in no groups at all can also login to the servers, which shouldn't occur...or at least I odnt want that to occur...so something is set incorrectly. Is there a way to "suck out" the HBAC rules or whatever info for the user at the command line? I certainly cant find why that second user can login, it should not be able to, but it can. regards ________________________________________ From: JR Aquino [[email protected]] Sent: Tuesday, 14 June 2011 1:10 p.m. To: Steven Jones Cc: [email protected] Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? 1) Create an HBAC Rule or rules: choose allow or deny 2) add users/usergroups to the rule 3) add hosts/hostgroups to the rule 4) disable the default 'allow all' rule Now any system that has SSSD 1.5 will enforce those HBAC rules. For systems that do not support sssd, I have been working on a proof of concept authorization module for HBAC written in python. -JR On Jun 13, 2011, at 5:32 PM, Steven Jones wrote: > Hi, > > Ive seen/read it.....and I have a hard copy on my desk in front of me right > now.... > > I find it typical of such documents, it has lots of sections in great detail > but it doesnt tell you how to achieve anything end to end....and often its > gives you written instructions on visual tasks so if you are not in the right > bit of the gui you go nowhere.....So it needs far more screenshots and > wizards.... > > regards > ________________________________________ > From: JR Aquino [[email protected]] > Sent: Tuesday, 14 June 2011 11:53 a.m. > To: Steven Jones > Cc: [email protected] > Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop > users logging into hosts? > > On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: > >> I have put 3 clients into a netgroup and added a user, however when I remove >> the user from the netgroup the user can still login! Even if the user wasnt >> ever in teh netgroup they can login.... >> >> So how do I stop that? >> >> When will we see some documentation on doing user admin tasks like this? > > Have a look at this: > > http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
