[Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
Rob Crittenden
rcritten at redhat.com
Tue Jun 14 03:27:34 UTC 2011
Steven Jones wrote:
> Hmm,
>
> So whats the default rule? can i set precedence? is there any?
The default rule is deny.
>
> Example.
>
> So Ive disabled the allow_all rule, I made a deny_all rule and then a rule to allow specific user groups to login to specific hostgroups servers....that didnt work...
>
> So I disabled the deny_all rule and users in the specific group can login to the specific server, and if I remove them from the user group they cannot login, so OK good BUT the trouble is a second user that is in no groups at all can also login to the servers, which shouldn't occur...or at least I odnt want that to occur...so something is set incorrectly.
>
> Is there a way to "suck out" the HBAC rules or whatever info for the user at the command line? I certainly cant find why that second user can login, it should not be able to, but it can.
>
> regards
It is currently very easy to create bad HBAC rules. The only real way to
test them is to crank up the debug level in sssd and watch the logs.
We and the sssd team are in the process of writing a utility where you
can simulate a rule execution and get feedback on how the rule will work
(or if pieces are missing).
rob
More information about the Freeipa-users
mailing list