On Mon, 30 Nov 2015, Alexander Skwar wrote:

I'm trying to setup our FreeIPA 4.1.0 (RHEL 7) servers with Ubuntu 14.04
FreeIPA 3.3.4 clients so, that users in a user group called "customers"
can only access hosts, which are in a host group called "test". Users
from the user group "ops" should be able to access all systems (ie.
"prod" systems and also those "test" systems).

But I cannot get my head around to create proper HBAC rules/setup…

Could somebody maybe lend me a helping hand?

At the moment, I have set it up so, that I modified the "prod" systems
sshd_config and added "DenyGroups customer" there. On the test systems,
I don't have that line. That works, but it's not using IPA (in a sense…
I do have to modify the hosts configuration on the system, which I
dislike. Granted, with Chef, it's not much, but still *G*).
HBAC is enforced by SSSD over PAM. All you need to ensure is that an
application (sshd in this case) uses PAM. Then you setup HBAC rules,
disable allow_all rule, and then SSSD will verify rules on logon via
sshd, checking all rules for service 'sshd' and applying to this host
(via hostgroup or to all hosts).

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to