In FreeIPA installations that already have some users and hosts in
them, the setup might be using host based access control (HBAC)
without admins realizing it because by default there is a catchall
allow_all rule there. When you then want to start tweaking the setup,
the allow_all rule needs to be disabled or it would still allow all
accesses. That might break existing users.
about possible solution to that problem.
Principal Software Engineer, Identity Management Engineering, Red Hat
Freeipa-users mailing list