On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal <[email protected]> wrote: > On 07/09/2013 03:57 PM, KodaK wrote: > > > > On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden <[email protected]>wrote: > >> >> HBAC is enforced by sssd, so no sssd, no HBAC. >> >> I think you need to use pam_access to limit users in AIX. >> >> > I have some work-arounds now, but I'd like to find a way to automate > them. What > I need is a way to ask IPA "who is allowed to access this particular > server?" > > The goal is go just get a list of allowed users, then there are various > mechanisms > I can employ to allow access to only the listed users. I plan to do this > from the > puppet master so I can push the configs from there. I have ipa-admintools > and > openldap-clients installed on the puppet master. > > Right now I'm iterating through all the hbacrules and grepping for the > server in > question, then getting the details of that rule. This is a lot of > requests. > > > > A valid RFE I would say... > May be it should be an enhancement for the hbac-test tool? > However getting a list of the users verbatim is probably costly too. > May be it would make sense for you to create a group of AIX users in IPA > and then fetch it from the puppet master traverse its memberOf attribute > for list of members? > It will not use HBAC but still would provide some access control > optimization. > Will that solve the problem for you? >
I thought about that, but there are some drawbacks. I don't have "a" group of AIX users that access all AIX machines. I have a bunch of different AIX machines with different user sets. I can create a group for each host called hostname_access -- but then I'm just replicating (quite inefficently) information that already exists in the HBAC rules. I can probably create one rule per host in HBAC and query that particular rule for the allowed users, but this loses the benefit of being able to use host and user groups. This is probably where we'll end up, though, since it's the least-effort-to-implement (if worst to maintain) option. How does sssd determine if a user is allowed access? Another option may be to replicate that functionality in a program or script on the puppet master and have it populate some files once a day or so. Alternately we could write a PAM module for AIX that replicates that functionality. Right now, though, I have no idea how it's done in SSSD (a pointer to where it is in the code would be helpful, even.) -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
