Hello. I was curious if there is something built in to FreeIPA (4.5.0 on CentOS) as a whole or if someone has created scripts or the like that perform access rights lookups without doing the typical hbac rule lookups which requires user -> host -> service (as far as I know), where those things are required to actually perform the access granted/denied test. Basically, what I'm trying to figure out is there a way to pick a host for example, and get a list of who can access the system on a specific service (or any service for that matter).
The reason I ask is I'm trying to figure out how to properly perform "audits" at my place of work, ie for PCI and SOX. And as far as I can tell, there's no easy way to do this when we have for example, two HBAC policies that allow all hosts (so there's no "member" attributes on the directory objects, just hostCategory all) and then majority of the policies are using groups rather than specific individuals, so I'd have to get a list of all of the users, including the ones that are in AD across the trust. If there isn't something like this built in, has someone done something like this before? I'd like to try to avoid rolling my own solution if possible, but if I had to roll my own solution, I could use some advisement or hints on something like this. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
