Re: [Freeipa-users] IPA User Group Auto membership

[Yogesh Sharma]

Same is working when I use userclass instead of title as because options to
set title is available only after creating user where as we can set the
userclass while creating user from UI.

*Best Regards,*

*__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
 *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

   



On Sat, Aug 15, 2015 at 8:52 PM, Yogesh Sharma  wrote:

> Hi Rob,
>
> My concern was for new entries only.
>
> -Yogesh Sharma
>
> (Sent from my HTC)
> On 15-Aug-2015 7:40 pm, "Rob Crittenden"  wrote:
>
>> Yogesh Sharma wrote:
>>
>>> Team,,
>>>
>>> We are having issue in configuring Auto Membership for Usergroup i.e.
>>> when ever we add/update a user to IPA , it should get added to a group
>>> on the basis of his/her Job Title.
>>>
>>> Below is the rule:
>>>
>>> [root@ipa-inf-prd-ng2-02 ~]# ipa automember-find  dbausers
>>> Grouping Type: group
>>> ---
>>> 1 rules matched
>>> ---
>>>Description: DBA Auto membership
>>>Automember Rule: dbausers
>>>Inclusive Regex: title=(.*)((?i)(DBA))(.*)
>>> 
>>> Number of entries returned 1
>>> 
>>> [root@ipa-inf-prd-ng2-02 ~]#
>>>
>>>
>>> We are setting Job Title as "Sr. DBA Mgr" , "DBA II" etc, However it is
>>> not working.
>>>
>>> We have tested the regex, and it seems to be working while testing it.
>>>
>>
>> The rules only apply to new entries. In order to apply rules to existing
>> entries run: ipa automember-rebuild --type=group
>>
>> rob
>>
>>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

[Bob]

For Solaris we are using the pam_list module to control which LDAP users
can have system access. The pam_list module allow netgroups to be listed in
a user.allow file.

On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo 
wrote:

>
>
> On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden 
> wrote:
>
>> sipazzo wrote:
>>
>>>
>>> and my users are able to authenticate to the directory but the hbac
>>> rules are not being applied. Any user whether given access or not can
>>> login to the Solaris systems. The "allow-all" rule has been disabled, my
>>> nsswitch.conf file looks good and I have tried different configs of
>>> pam.d, including the provided example to try to resolve the issue. Am I
>>> missing some steps?
>>>
>>
>> HBAC enforcement is provided by sssd so doesn't work in Solaris.
>>
>
> one might try using solaris' RBAC system:
>
>
> http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html
>
> You would have to distribute your changes to all solaris systems.
>
> There is a RBAC ldap schema
> http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for
> solaris, but I have never tried using it with freeipa.
>
> --
> Groeten,
> natxo
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

[Natxo Asenjo]

On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden  wrote:

> sipazzo wrote:
>
>>
>> and my users are able to authenticate to the directory but the hbac
>> rules are not being applied. Any user whether given access or not can
>> login to the Solaris systems. The "allow-all" rule has been disabled, my
>> nsswitch.conf file looks good and I have tried different configs of
>> pam.d, including the provided example to try to resolve the issue. Am I
>> missing some steps?
>>
>
> HBAC enforcement is provided by sssd so doesn't work in Solaris.
>

one might try using solaris' RBAC system:

http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html

You would have to distribute your changes to all solaris systems.

There is a RBAC ldap schema
http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for
solaris, but I have never tried using it with freeipa.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

[Rob Crittenden]

sipazzo wrote:

Hi I am using freeipa 3.0.0-47 in a mixed environment with rhel5-7
clients, Solaris 10 clients and a handful of Solaris 11 clients. I
followed this guide in setting up the solaris clients: 3.8. Configuring
a Solaris System as a FreeIPA Client





3.8. Configuring a Solaris System as a FreeIPA Client

FreeIPA provides an example profile for configuring Solaris 10 as a
FreeIPA client. This can be loaded using ldapclient and the init
command: [root@solaris ~]# ldapclient init ipa.example.com
View on docs.fedoraproject.org


Preview by Yahoo

and my users are able to authenticate to the directory but the hbac
rules are not being applied. Any user whether given access or not can
login to the Solaris systems. The "allow-all" rule has been disabled, my
nsswitch.conf file looks good and I have tried different configs of
pam.d, including the provided example to try to resolve the issue. Am I
missing some steps?


HBAC enforcement is provided by sssd so doesn't work in Solaris.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA User Group Auto membership

[Yogesh Sharma]

Hi Rob,

My concern was for new entries only.

-Yogesh Sharma

(Sent from my HTC)
On 15-Aug-2015 7:40 pm, "Rob Crittenden"  wrote:

> Yogesh Sharma wrote:
>
>> Team,,
>>
>> We are having issue in configuring Auto Membership for Usergroup i.e.
>> when ever we add/update a user to IPA , it should get added to a group
>> on the basis of his/her Job Title.
>>
>> Below is the rule:
>>
>> [root@ipa-inf-prd-ng2-02 ~]# ipa automember-find  dbausers
>> Grouping Type: group
>> ---
>> 1 rules matched
>> ---
>>Description: DBA Auto membership
>>Automember Rule: dbausers
>>Inclusive Regex: title=(.*)((?i)(DBA))(.*)
>> 
>> Number of entries returned 1
>> 
>> [root@ipa-inf-prd-ng2-02 ~]#
>>
>>
>> We are setting Job Title as "Sr. DBA Mgr" , "DBA II" etc, However it is
>> not working.
>>
>> We have tested the regex, and it seems to be working while testing it.
>>
>
> The rules only apply to new entries. In order to apply rules to existing
> entries run: ipa automember-rebuild --type=group
>
> rob
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] HBAC rules not applying to Solaris clients

[sipazzo]

Hi I am using freeipa 3.0.0-47 in a mixed environment with rhel5-7 clients, 
Solaris 10 clients and a handful of Solaris 11 clients. I followed this guide 
in setting up the solaris clients: 3.8. Configuring a Solaris System as a 
FreeIPA Client
|   |
|   |   |   |   |   |
| 3.8. Configuring a Solaris System as a FreeIPA ClientFreeIPA provides an 
example profile for configuring Solaris 10 as a FreeIPA client. This can be 
loaded using ldapclient and the init command: [root@solaris ~]# ldapclient init 
ipa.example.com  |
|  |
| View on docs.fedoraproject.org | Preview by Yahoo |
|  |
|   |

and my users are able to authenticate to the directory but the hbac rules are 
not being applied. Any user whether given access or not can login to the 
Solaris systems. The "allow-all" rule has been disabled, my nsswitch.conf file 
looks good and I have tried different configs of pam.d, including the provided 
example to try to resolve the issue. Am I missing some steps?


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA User Group Auto membership

[Rob Crittenden]

Yogesh Sharma wrote:

Team,,

We are having issue in configuring Auto Membership for Usergroup i.e.
when ever we add/update a user to IPA , it should get added to a group
on the basis of his/her Job Title.

Below is the rule:

[root@ipa-inf-prd-ng2-02 ~]# ipa automember-find  dbausers
Grouping Type: group
---
1 rules matched
---
   Description: DBA Auto membership
   Automember Rule: dbausers
   Inclusive Regex: title=(.*)((?i)(DBA))(.*)

Number of entries returned 1

[root@ipa-inf-prd-ng2-02 ~]#


We are setting Job Title as "Sr. DBA Mgr" , "DBA II" etc, However it is
not working.

We have tested the regex, and it seems to be working while testing it.


The rules only apply to new entries. In order to apply rules to existing 
entries run: ipa automember-rebuild --type=group


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA User Group Auto membership

[Yogesh Sharma]

Team,,

We are having issue in configuring Auto Membership for Usergroup i.e. when
ever we add/update a user to IPA , it should get added to a group on the
basis of his/her Job Title.

Below is the rule:

[root@ipa-inf-prd-ng2-02 ~]# ipa automember-find  dbausers
Grouping Type: group
---
1 rules matched
---
  Description: DBA Auto membership
  Automember Rule: dbausers
  Inclusive Regex: title=(.*)((?i)(DBA))(.*)

Number of entries returned 1

[root@ipa-inf-prd-ng2-02 ~]#


We are setting Job Title as "Sr. DBA Mgr" , "DBA II" etc, However it is not
working.

We have tested the regex, and it seems to be working while testing it.


*Best Regards,*

*__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
 *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

   


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project