Steven Jones wrote:
So whats the default rule? can i set precedence? is there any?
The default rule is deny.
So Ive disabled the allow_all rule, I made a deny_all rule and then a rule to
allow specific user groups to login to specific hostgroups servers....that
So I disabled the deny_all rule and users in the specific group can login to
the specific server, and if I remove them from the user group they cannot
login, so OK good BUT the trouble is a second user that is in no groups at all
can also login to the servers, which shouldn't occur...or at least I odnt want
that to occur...so something is set incorrectly.
Is there a way to "suck out" the HBAC rules or whatever info for the user at
the command line? I certainly cant find why that second user can login, it should not be
able to, but it can.
It is currently very easy to create bad HBAC rules. The only real way to
test them is to crank up the debug level in sssd and watch the logs.
We and the sssd team are in the process of writing a utility where you
can simulate a rule execution and get feedback on how the rule will work
(or if pieces are missing).
Freeipa-users mailing list