On Tue, 2011-06-14 at 01:34 +0000, Steven Jones wrote:
> Hmm,
> So whats the default rule?  can i set precedence? is there any?
> Example.
> So Ive disabled the allow_all rule, I made a deny_all rule and then a
> rule to allow specific user groups to login to specific hostgroups
> servers....that didnt work...

DENY rules always win (meaning they override any ALLOW rule). So if you
have a DENY rule that matches everyone, your ALLOW rules will never

HBAC rules work this way:
If no rules match, deny.
If one or more ALLOW rules match: grant access
unless one or more DENY rules match, in which case: deny.

> So I disabled the deny_all rule and users in the specific group can
> login to the specific server, and if I remove them from the user group
> they cannot login, so OK good BUT the trouble is a second user that is
> in no groups at all can also login to the servers, which shouldn't
> occur...or at least I odnt want that to occur...so something is set
> incorrectly.
> Is there a way to "suck out" the HBAC rules or whatever info for  the
> user at the command line?  I certainly cant find why that second user
> can login, it should not be able to, but it can.

'ipa hbacrule-find'

This will give you output like:
  Rule name: testrule
  Rule type: allow
  Enabled: TRUE
  Groups: ipausers
  Hosts: client1.example.com
  Source hosts: client2.example.com
  Services: sshd

The meaning of the above rule is:
Any user in the group 'ipausers' can log into 'client1.example.com' FROM
client2.example.com using SSH.

Attachment: signature.asc
Description: This is a digitally signed message part

Freeipa-users mailing list

Reply via email to