[Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
Steven Jones
Steven.Jones at vuw.ac.nz
Tue Jun 14 01:34:41 UTC 2011
Hmm,
So whats the default rule? can i set precedence? is there any?
Example.
So Ive disabled the allow_all rule, I made a deny_all rule and then a rule to allow specific user groups to login to specific hostgroups servers....that didnt work...
So I disabled the deny_all rule and users in the specific group can login to the specific server, and if I remove them from the user group they cannot login, so OK good BUT the trouble is a second user that is in no groups at all can also login to the servers, which shouldn't occur...or at least I odnt want that to occur...so something is set incorrectly.
Is there a way to "suck out" the HBAC rules or whatever info for the user at the command line? I certainly cant find why that second user can login, it should not be able to, but it can.
regards
________________________________________
From: JR Aquino [JR.Aquino at citrix.com]
Sent: Tuesday, 14 June 2011 1:10 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
1) Create an HBAC Rule or rules: choose allow or deny
2) add users/usergroups to the rule
3) add hosts/hostgroups to the rule
4) disable the default 'allow all' rule
Now any system that has SSSD 1.5 will enforce those HBAC rules.
For systems that do not support sssd, I have been working on a proof of concept authorization module for HBAC written in python.
-JR
On Jun 13, 2011, at 5:32 PM, Steven Jones wrote:
> Hi,
>
> Ive seen/read it.....and I have a hard copy on my desk in front of me right now....
>
> I find it typical of such documents, it has lots of sections in great detail but it doesnt tell you how to achieve anything end to end....and often its gives you written instructions on visual tasks so if you are not in the right bit of the gui you go nowhere.....So it needs far more screenshots and wizards....
>
> regards
> ________________________________________
> From: JR Aquino [JR.Aquino at citrix.com]
> Sent: Tuesday, 14 June 2011 11:53 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
>
> On Jun 13, 2011, at 4:43 PM, Steven Jones wrote:
>
>> I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login....
>>
>> So how do I stop that?
>>
>> When will we see some documentation on doing user admin tasks like this?
>
> Have a look at this:
>
> http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list