On 07/09/2013 03:57 PM, KodaK wrote:
> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
>     HBAC is enforced by sssd, so no sssd, no HBAC.
>     I think you need to use pam_access to limit users in AIX.
> I have some work-arounds now, but I'd like to find a way to automate
> them.  What
> I need is a way to ask IPA "who is allowed to access this particular
> server?"
> The goal is go just get a list of allowed users, then there are
> various mechanisms
> I can employ to allow access to only the listed users.  I plan to do
> this from the
> puppet master so I can push the configs from there.  I have
> ipa-admintools and
> openldap-clients installed on the puppet master.
> Right now I'm iterating through all the hbacrules and grepping for the
> server in 
> question, then getting the details of that rule.  This is a lot of
> requests.

A valid RFE I would say...
May be it should be an enhancement for the hbac-test tool?
However getting a list of the users verbatim is probably costly too.
May be it would make sense for you to create a group of AIX users in IPA
and then fetch it from the puppet master traverse its memberOf attribute
for list of members?
It will not use HBAC but still would provide some access control
Will that solve the problem for you?

> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to