On Tue, 2011-06-14 at 01:34 +0000, Steven Jones wrote: > Hmm, > > So whats the default rule? can i set precedence? is there any? > > Example. > > So Ive disabled the allow_all rule, I made a deny_all rule and then a > rule to allow specific user groups to login to specific hostgroups > servers....that didnt work...
DENY rules always win (meaning they override any ALLOW rule). So if you have a DENY rule that matches everyone, your ALLOW rules will never match. HBAC rules work this way: If no rules match, deny. If one or more ALLOW rules match: grant access unless one or more DENY rules match, in which case: deny. > > So I disabled the deny_all rule and users in the specific group can > login to the specific server, and if I remove them from the user group > they cannot login, so OK good BUT the trouble is a second user that is > in no groups at all can also login to the servers, which shouldn't > occur...or at least I odnt want that to occur...so something is set > incorrectly. > > Is there a way to "suck out" the HBAC rules or whatever info for the > user at the command line? I certainly cant find why that second user > can login, it should not be able to, but it can. 'ipa hbacrule-find' This will give you output like: Rule name: testrule Rule type: allow Enabled: TRUE Groups: ipausers Hosts: client1.example.com Source hosts: client2.example.com Services: sshd The meaning of the above rule is: Any user in the group 'ipausers' can log into 'client1.example.com' FROM client2.example.com using SSH.
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users