Thanks for you reply.  I understand what you are saying but don¹t see how
this would work because Allow_All is my current situation (even with this
rule disabled).  My understand is you can¹t restrict through a rule, only
limit.  I am missing something?




On 1/22/16, 1:51 PM, "freeipa-users-boun...@redhat.com on behalf of Jakub
Hrozek" <freeipa-users-boun...@redhat.com on behalf of jhro...@redhat.com>
wrote:

>On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote:
>> Hi.
>> 
>> I have a been successful using Freeipa 4.1 configuring active directory
>>users and with sudo.  The problem I am having is that the HBAC rules are
>>not applying to my active directory users.  They have access to all
>>systems even if I disable my Allow_ALL rule.  Is there something special
>>I should be doing to domain?
>
>Normally HBAC for AD users should be done through an external group you
>add the AD users or groups to, then add the external group to a regular
>IPA group and reference this IPA group from HBAC rules.
>
>There have been bugs related to external groups resolution, so please
>update to the latest IPA and SSSD packages also.
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to