On Tue, 10 Mar 2015, Guertin, David S. wrote:
> Seems the initial/default setup for IPA server is to put in an 'allow_all'
rule. Thus you can actively manage HBAC but out of the box, it is essentially
turned off by that rule.

Yes. The default was the opposite very long time ago, you had to explicitly
enable access to the box. But it was causing too many user issues.

OK, I have reinstalled the IPA server with the --no_hbac_allow flag
(i.e. : ipa-server-install --no_hbac_allow), but the behavior remains
the same. I can still see all AD users instead of just those in the
particular group I've added.

Is there something else that needs be done to override the allow_all setting?
Can you be more specific?

If you have allow_all HBAC rule enabled, it is just that -- any existing user
will be authorized to access any service on any host given they authenticate

If you disabled allow_all rule, then some other rule may allow such
access but without more details about your configuration it is
impossible to say what are you doing.

On top of this you add confusion by saying "I can still see all AD
users" -- what do you mean by this?

Any substantiated shell output would definitely help here to understand
your issues.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to