On 09/17/2012 09:47 AM, Michael Mercier wrote: > On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: > >> On 08/31/2012 09:33 AM, Michael Mercier wrote: >>> Hello, >>> >>> I seem to be having a problem with the HBAC test: >>> >>> Versions: >>> [root@ipaserver ipatest]# rpm -qa|grep ^ipa >>> ipa-server-2.2.0-16.el6.x86_64 >>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>> ipa-python-2.2.0-16.el6.x86_64 >>> ipa-admintools-2.2.0-16.el6.x86_64 >>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>> ipa-client-2.2.0-16.el6.x86_64 >>> >>> >>> On the web console: >>> >>> Browse to HBAC TEST >>> >>> Who: mike >>> Accessing: pix.beta.local >>> Via service: tac_plus >>> From: ipaclient.beta.local (correct me if I am wrong, but I don't believe >>> this has any effect) >>> Rules: tacacs >>> >>> Run Test -> Access Granted with matched rules showing tacacs >>> >>> On the command line: >>> >>> ipa hbactest >>> User name: mike >>> Target Host: pix.beta.local >>> Service: tac_plus >>> --------------------- >>> Access granted: False >>> --------------------- >>> Not matched rules: tacacs >>> >>> tacacs rule: >>> General: Enabled >>> Who: user group: ciscoadmin -> mike is a member >>> accessing: cisco-devices -> pix.beta.local is a member >>> Via Service: tac_plus >>> From: any host >>> >>> NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is >>> still present) >>> >>> Any ideas? >>> >>> Thanks, >>> Mike >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> I do not know whether this issue was resolved. Hope it was on the IRC or >> in some other way. >> >> The problem above is related to the "from host" I believe. >> Please do not use the "from host". The whole concept is a bit broken and >> not reliable. > I don't seem to be able to *not* select a 'from host' with the web console, I > get: > > Input form contains invalid of missing values. > > Missing values: > Source host.
You need to choose "all" option to ignore the values from this field. > > > Thanks, > Mike > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
