[Freeipa-users] HBAC Test - web vs command line - returns different results

Dmitri Pal dpal at redhat.com
Mon Sep 17 14:28:18 UTC 2012 

On 09/17/2012 09:47 AM, Michael Mercier wrote:
> On 2012-09-08, at 11:08 AM, Dmitri Pal wrote:
>
>> On 08/31/2012 09:33 AM, Michael Mercier wrote:
>>> Hello,
>>>
>>> I seem to be having a problem with the HBAC test:
>>>
>>> Versions:
>>> [root at ipaserver ipatest]# rpm -qa|grep ^ipa
>>> ipa-server-2.2.0-16.el6.x86_64
>>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>> ipa-python-2.2.0-16.el6.x86_64
>>> ipa-admintools-2.2.0-16.el6.x86_64
>>> ipa-server-selinux-2.2.0-16.el6.x86_64
>>> ipa-client-2.2.0-16.el6.x86_64
>>>
>>>
>>> On the web console:
>>>
>>> Browse to HBAC TEST
>>>
>>> Who: mike
>>> Accessing: pix.beta.local
>>> Via service: tac_plus
>>> From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect)
>>> Rules: tacacs
>>>
>>> Run Test -> Access Granted with matched rules showing tacacs
>>>
>>> On the command line:
>>>
>>> ipa hbactest
>>> User name: mike
>>> Target Host: pix.beta.local
>>> Service: tac_plus
>>> ---------------------
>>> Access granted: False
>>> ---------------------
>>>  Not matched rules: tacacs
>>>
>>> tacacs rule:
>>> General: Enabled
>>> Who: user group: ciscoadmin -> mike is a member
>>> accessing: cisco-devices -> pix.beta.local is a member
>>> Via Service: tac_plus
>>> From: any host
>>>
>>> NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present)
>>>
>>> Any ideas?
>>>
>>> Thanks,
>>> Mike
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>> I do not know whether this issue was resolved. Hope it was on the IRC or
>> in some other way.
>>
>> The problem above is related to the "from host" I believe.
>> Please do not use the "from host". The whole concept is a bit broken and
>> not reliable.
> I don't seem to be able to *not* select a 'from host' with the web console, I get:
>
> Input form contains invalid of missing values.
>
> Missing values:
>      Source host.

You need to choose "all" option to ignore the values from this field.

>
>
> Thanks,
> Mike
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list