On 2012-09-17, at 10:33 AM, Rob Crittenden wrote: > Michael Mercier wrote: >> On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: >> >>> On 08/31/2012 09:33 AM, Michael Mercier wrote: >>>> Hello, >>>> >>>> I seem to be having a problem with the HBAC test: >>>> >>>> Versions: >>>> [root@ipaserver ipatest]# rpm -qa|grep ^ipa >>>> ipa-server-2.2.0-16.el6.x86_64 >>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>> ipa-python-2.2.0-16.el6.x86_64 >>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>> ipa-client-2.2.0-16.el6.x86_64 >>>> >>>> >>>> On the web console: >>>> >>>> Browse to HBAC TEST >>>> >>>> Who: mike >>>> Accessing: pix.beta.local >>>> Via service: tac_plus >>>> From: ipaclient.beta.local (correct me if I am wrong, but I don't believe >>>> this has any effect) >>>> Rules: tacacs >>>> >>>> Run Test -> Access Granted with matched rules showing tacacs >>>> >>>> On the command line: >>>> >>>> ipa hbactest >>>> User name: mike >>>> Target Host: pix.beta.local >>>> Service: tac_plus >>>> --------------------- >>>> Access granted: False >>>> --------------------- >>>> Not matched rules: tacacs >>>> >>>> tacacs rule: >>>> General: Enabled >>>> Who: user group: ciscoadmin -> mike is a member >>>> accessing: cisco-devices -> pix.beta.local is a member >>>> Via Service: tac_plus >>>> From: any host >>>> >>>> NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is >>>> still present) >>>> >>>> Any ideas? >>>> >>>> Thanks, >>>> Mike >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>> I do not know whether this issue was resolved. Hope it was on the IRC or >>> in some other way. >>> >>> The problem above is related to the "from host" I believe. >>> Please do not use the "from host". The whole concept is a bit broken and >>> not reliable. >> >> I don't seem to be able to *not* select a 'from host' with the web console, >> I get: >> >> Input form contains invalid of missing values. >> >> Missing values: >> Source host. > > I believe this value is ignored anyway. > > This is very strange as the same backend is used to evaluate both the web and > cli rules. > > It might be helpful to crank up debugging to get more details on what is > being passed in. Perhaps there is some subtle difference. > > If you want to give this a go, edit /etc/ipa/default.conf and add > > debug = True
Hello, I setup default.conf with debug = True, and I am unable to reproduce the different results? Removed the debug statement and restart httpd, both interfaces produce the same result (success). Thanks, Mike > > and restart the httpd service, then try your commands again. You should get a > bit more detail in /var/log/httpd/error_log about the request sent in and the > response. > > You probably don't want to leave this enabled for too long. > > rob > > > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users