Just to add on the advice, not to detract, On Tue, 2011-06-14 at 01:10 +0000, JR Aquino wrote: > 1) Create an HBAC Rule or rules: choose allow or deny
Do yourself a favor and never use deny rules, they are there if you *really* need them, but you do not want to use them if you can avoid them :) > 2) add users/usergroups to the rule > 3) add hosts/hostgroups to the rule > 4) disable the default 'allow all' rule Remember that by default if a user isn't explicitly allowed the behavior of HBAC is to deny (that's why we have a default allow_all rule) > Now any system that has SSSD 1.5 will enforce those HBAC rules. And if it doesn't we really want to know as it is going to be a security issue. Simo. > For systems that do not support sssd, I have been working on a proof > of concept authorization module for HBAC written in python. > > -JR > > On Jun 13, 2011, at 5:32 PM, Steven Jones wrote: > > > Hi, > > > > Ive seen/read it.....and I have a hard copy on my desk in front of me right > > now.... > > > > I find it typical of such documents, it has lots of sections in great > > detail but it doesnt tell you how to achieve anything end to end....and > > often its gives you written instructions on visual tasks so if you are not > > in the right bit of the gui you go nowhere.....So it needs far more > > screenshots and wizards.... > > > > regards > > ________________________________________ > > From: JR Aquino [[email protected]] > > Sent: Tuesday, 14 June 2011 11:53 a.m. > > To: Steven Jones > > Cc: [email protected] > > Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop > > users logging into hosts? > > > > On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: > > > >> I have put 3 clients into a netgroup and added a user, however when I > >> remove the user from the netgroup the user can still login! Even if the > >> user wasnt ever in teh netgroup they can login.... > >> > >> So how do I stop that? > >> > >> When will we see some documentation on doing user admin tasks like this? > > > > Have a look at this: > > > > http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies > > > > _______________________________________________ > > Freeipa-users mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
