Just to add on the advice, not to detract,

On Tue, 2011-06-14 at 01:10 +0000, JR Aquino wrote:
> 1) Create an HBAC Rule or rules: choose allow or deny

Do yourself a favor and never use deny rules, they are there if you
*really* need them, but you do not want to use them if you can avoid
them :)

> 2) add users/usergroups to the rule
> 3) add hosts/hostgroups to the rule
> 4) disable the default 'allow all' rule

Remember that by default if a user isn't explicitly allowed the behavior
of HBAC is to deny (that's why we have a default allow_all rule)

> Now any system that has SSSD 1.5 will enforce those HBAC rules.

And if it doesn't we really want to know as it is going to be a security
issue.

Simo.

> For systems that do not support sssd, I have been working on a proof
> of concept authorization module for HBAC written in python.
> 
> -JR
> 
> On Jun 13, 2011, at 5:32 PM, Steven Jones wrote:
> 
> > Hi,
> > 
> > Ive seen/read it.....and I have a hard copy on my desk in front of me right 
> > now....
> > 
> > I find it typical of such documents, it has lots of sections in great 
> > detail but it doesnt tell you how to achieve anything end to end....and 
> > often its gives you written instructions on visual tasks so if you are not 
> > in the right bit of the gui you go nowhere.....So it needs far more 
> > screenshots and wizards....
> > 
> > regards
> > ________________________________________
> > From: JR Aquino [jr.aqu...@citrix.com]
> > Sent: Tuesday, 14 June 2011 11:53 a.m.
> > To: Steven Jones
> > Cc: freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop 
> > users logging into hosts?
> > 
> > On Jun 13, 2011, at 4:43 PM, Steven Jones wrote:
> > 
> >> I have put 3 clients into a netgroup and added a user, however when I 
> >> remove the user from the netgroup the user can still login! Even if the 
> >> user wasnt ever in teh netgroup they can login....
> >> 
> >> So how do I stop that?
> >> 
> >> When will we see some documentation on doing user admin tasks like this?
> > 
> > Have a look at this:
> > 
> > http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies
> > 
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to