Thanks for you reply. I understand what you are saying but don¹t see how
this would work because Allow_All is my current situation (even with this
rule disabled). My understand is you can¹t restrict through a rule, only
limit. I am missing something?
On 1/22/16, 1:51 PM, "freeipa-users-boun...@redhat.com on behalf of Jakub
Hrozek" <freeipa-users-boun...@redhat.com on behalf of jhro...@redhat.com>
>On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote:
>> I have a been successful using Freeipa 4.1 configuring active directory
>>users and with sudo. The problem I am having is that the HBAC rules are
>>not applying to my active directory users. They have access to all
>>systems even if I disable my Allow_ALL rule. Is there something special
>>I should be doing to domain?
>Normally HBAC for AD users should be done through an external group you
>add the AD users or groups to, then add the external group to a regular
>IPA group and reference this IPA group from HBAC rules.
>There have been bugs related to external groups resolution, so please
>update to the latest IPA and SSSD packages also.
>Manage your subscription for the Freeipa-users mailing list:
>Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project