[Freeipa-users] HBAC rules take in effect on IPA clients immediately after installation?
Jakub Hrozek
jhrozek at redhat.com
Sat May 19 17:12:37 UTC 2012
On Fri, May 18, 2012 at 02:27:15PM -0700, Gelen James wrote:
> Hi all,
> Just like to clarify my confusion: Are the HBAC (Host Based Access
> Control) rules immediately in effect after IPA client software
> configurations through sssd? Do we have any options inside sssd.conf to
> enable/disable the HBAC rules per machine (inside IPA domain)? I have this
> question because some important servers needs to be available all the
> time, even badly written HBAC rules could block access to all other
> servers.
> Another very close question is: what are the scenarios to use '--permit'
> option to 'ipa-client-install'? the manual says 'Configure SSSD to permit
> all access. Otherwise the machine will be controlled by the Host-based
> Access Controls (HBAC) on the IPA server.'. So is this the solution to the
> above problem?
> Thanks a lot.
> --Gelen
Yes, passing --permit to ipa-client install is the solution to your
problem.
What it does under the hood is setting access_provider = permit in the
sssd.conf, which means "always allow access". See man sssd.conf(5) for
more information on the default access providers.
More information about the Freeipa-users
mailing list