> > Seems the initial/default setup for IPA server is to put in an 'allow_all'
> rule. Thus you can actively manage HBAC but out of the box, it is essentially
> turned off by that rule.
> 
> Yes. The default was the opposite very long time ago, you had to explicitly
> enable access to the box. But it was causing too many user issues.

OK, I have reinstalled the IPA server with the --no_hbac_allow flag (i.e. : 
ipa-server-install --no_hbac_allow), but the behavior remains the same. I can 
still see all AD users instead of just those in the particular group I've added.

Is there something else that needs be done to override the allow_all setting?

David Guertin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to