[Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?

Simo Sorce simo at redhat.com
Tue Jun 14 03:31:34 UTC 2011 

Just to add on the advice, not to detract,

On Tue, 2011-06-14 at 01:10 +0000, JR Aquino wrote:
> 1) Create an HBAC Rule or rules: choose allow or deny

Do yourself a favor and never use deny rules, they are there if you
*really* need them, but you do not want to use them if you can avoid
them :)

> 2) add users/usergroups to the rule
> 3) add hosts/hostgroups to the rule
> 4) disable the default 'allow all' rule

Remember that by default if a user isn't explicitly allowed the behavior
of HBAC is to deny (that's why we have a default allow_all rule)

> Now any system that has SSSD 1.5 will enforce those HBAC rules.

And if it doesn't we really want to know as it is going to be a security
issue.

Simo.

> For systems that do not support sssd, I have been working on a proof
> of concept authorization module for HBAC written in python.
> 
> -JR
> 
> On Jun 13, 2011, at 5:32 PM, Steven Jones wrote:
> 
> > Hi,
> > 
> > Ive seen/read it.....and I have a hard copy on my desk in front of me right now....
> > 
> > I find it typical of such documents, it has lots of sections in great detail but it doesnt tell you how to achieve anything end to end....and often its gives you written instructions on visual tasks so if you are not in the right bit of the gui you go nowhere.....So it needs far more screenshots and wizards....
> > 
> > regards
> > ________________________________________
> > From: JR Aquino [JR.Aquino at citrix.com]
> > Sent: Tuesday, 14 June 2011 11:53 a.m.
> > To: Steven Jones
> > Cc: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
> > 
> > On Jun 13, 2011, at 4:43 PM, Steven Jones wrote:
> > 
> >> I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login....
> >> 
> >> So how do I stop that?
> >> 
> >> When will we see some documentation on doing user admin tasks like this?
> > 
> > Have a look at this:
> > 
> > http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies
> > 
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list