[Freeipa-users] UNABLE TO SEARCH HBAC RULE

2016-01-20 Thread Yogesh Sharma 
Hi,

We have created a user with HBAC Admin permission which has below
permission (Default as provided by IPA):

System: Add HBAC Rule
System: Add HBAC Service Groups
System: Add HBAC Services
System: Delete HBAC Rule
System: Delete HBAC Service Groups
System: Delete HBAC Services
System: Manage HBAC Rule Membership
System: Manage HBAC Service Group Membership
System: Modify HBAC Rule

When I try add below in a new RBAC, it denied the operation as it is
already open for all.

System: Read HBAC Rules
System: Read HBAC Service Groups
System: Read HBAC Services


If we change it to permission, then login is failing.

Please suggest what we need to do so that HBAC admin can search the HBAC
rule in FreeIPA rule.



*Best Regards,*

*__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
 *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

   


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to search HBAC Rule

2016-01-20 Thread Martin Basti 



On 20.01.2016 14:26, Yogesh Sharma wrote:

Hi,

We have created a user with HBAC Admin permission which has below 
permission (Default as provided by IPA):


System: Add HBAC Rule
System: Add HBAC Service Groups
System: Add HBAC Services
System: Delete HBAC Rule
System: Delete HBAC Service Groups
System: Delete HBAC Services
System: Manage HBAC Rule Membership
System: Manage HBAC Service Group Membership
System: Modify HBAC Rule

When I try add below in a new RBAC, it denied the operation as it is 
already open for all.


System: Read HBAC Rules
System: Read HBAC Service Groups
System: Read HBAC Services


If we change it to permission, then login is failing.

Please suggest what we need to do so that HBAC admin can search the 
HBAC rule in FreeIPA rule.




Hello, which version of IPA do you use?

This has been fixed (workaround).
https://fedorahosted.org/freeipa/ticket/5130

The proper fix requires changes in DS ACI evaluation that should be in 
RHEL 7.3


Martin



/Best Regards,/
/__
/
/Yogesh Sharma
/
/Email: yks0...@gmail.com  | Web: 
www.initd.in  /

/
/
/RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/

  
 






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to search HBAC Rule

2016-01-20 Thread Yogesh Sharma 
Hi Martin,

FreeIPA version 4.1.0

Will look into the Workaround. Thanks

*Best Regards,*

*__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
 *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

   



On Wed, Jan 20, 2016 at 7:04 PM, Martin Basti  wrote:

>
>
> On 20.01.2016 14:26, Yogesh Sharma wrote:
>
> Hi,
>
> We have created a user with HBAC Admin permission which has below
> permission (Default as provided by IPA):
>
> System: Add HBAC Rule
> System: Add HBAC Service Groups
> System: Add HBAC Services
> System: Delete HBAC Rule
> System: Delete HBAC Service Groups
> System: Delete HBAC Services
> System: Manage HBAC Rule Membership
> System: Manage HBAC Service Group Membership
> System: Modify HBAC Rule
>
> When I try add below in a new RBAC, it denied the operation as it is
> already open for all.
>
> System: Read HBAC Rules
> System: Read HBAC Service Groups
> System: Read HBAC Services
>
>
> If we change it to permission, then login is failing.
>
> Please suggest what we need to do so that HBAC admin can search the HBAC
> rule in FreeIPA rule.
>
>
> Hello, which version of IPA do you use?
>
> This has been fixed (workaround).
> https://fedorahosted.org/freeipa/ticket/5130
>
> The proper fix requires changes in DS ACI evaluation that should be in
> RHEL 7.3
>
> Martin
>
>
> *Best Regards,*
>
> *__ *
>
> *Yogesh Sharma *
> *Email:  yks0...@gmail.com  | Web:
> www.initd.in  *
>
> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*
>
>    
> 
> 
>
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project