For Solaris we are using the pam_list module to control which LDAP users can have system access. The pam_list module allow netgroups to be listed in a user.allow file.
On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > > > On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden <rcrit...@redhat.com> > wrote: > >> sipazzo wrote: >> >>> >>> and my users are able to authenticate to the directory but the hbac >>> rules are not being applied. Any user whether given access or not can >>> login to the Solaris systems. The "allow-all" rule has been disabled, my >>> nsswitch.conf file looks good and I have tried different configs of >>> pam.d, including the provided example to try to resolve the issue. Am I >>> missing some steps? >>> >> >> HBAC enforcement is provided by sssd so doesn't work in Solaris. >> > > one might try using solaris' RBAC system: > > > http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html > > You would have to distribute your changes to all solaris systems. > > There is a RBAC ldap schema > http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for > solaris, but I have never tried using it with freeipa. > > -- > Groeten, > natxo > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project