[Freeipa-users] HBAC Test - web vs command line - returns different results
Michael Mercier
mmercier at gmail.com
Mon Sep 17 14:55:24 UTC 2012
On 2012-09-17, at 10:33 AM, Rob Crittenden wrote:
> Michael Mercier wrote:
>> On 2012-09-08, at 11:08 AM, Dmitri Pal wrote:
>>
>>> On 08/31/2012 09:33 AM, Michael Mercier wrote:
>>>> Hello,
>>>>
>>>> I seem to be having a problem with the HBAC test:
>>>>
>>>> Versions:
>>>> [root at ipaserver ipatest]# rpm -qa|grep ^ipa
>>>> ipa-server-2.2.0-16.el6.x86_64
>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>>> ipa-python-2.2.0-16.el6.x86_64
>>>> ipa-admintools-2.2.0-16.el6.x86_64
>>>> ipa-server-selinux-2.2.0-16.el6.x86_64
>>>> ipa-client-2.2.0-16.el6.x86_64
>>>>
>>>>
>>>> On the web console:
>>>>
>>>> Browse to HBAC TEST
>>>>
>>>> Who: mike
>>>> Accessing: pix.beta.local
>>>> Via service: tac_plus
>>>> From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect)
>>>> Rules: tacacs
>>>>
>>>> Run Test -> Access Granted with matched rules showing tacacs
>>>>
>>>> On the command line:
>>>>
>>>> ipa hbactest
>>>> User name: mike
>>>> Target Host: pix.beta.local
>>>> Service: tac_plus
>>>> ---------------------
>>>> Access granted: False
>>>> ---------------------
>>>> Not matched rules: tacacs
>>>>
>>>> tacacs rule:
>>>> General: Enabled
>>>> Who: user group: ciscoadmin -> mike is a member
>>>> accessing: cisco-devices -> pix.beta.local is a member
>>>> Via Service: tac_plus
>>>> From: any host
>>>>
>>>> NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present)
>>>>
>>>> Any ideas?
>>>>
>>>> Thanks,
>>>> Mike
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>> I do not know whether this issue was resolved. Hope it was on the IRC or
>>> in some other way.
>>>
>>> The problem above is related to the "from host" I believe.
>>> Please do not use the "from host". The whole concept is a bit broken and
>>> not reliable.
>>
>> I don't seem to be able to *not* select a 'from host' with the web console, I get:
>>
>> Input form contains invalid of missing values.
>>
>> Missing values:
>> Source host.
>
> I believe this value is ignored anyway.
>
> This is very strange as the same backend is used to evaluate both the web and cli rules.
>
> It might be helpful to crank up debugging to get more details on what is being passed in. Perhaps there is some subtle difference.
>
> If you want to give this a go, edit /etc/ipa/default.conf and add
>
> debug = True
Hello,
I setup default.conf with debug = True, and I am unable to reproduce the different results?
Removed the debug statement and restart httpd, both interfaces produce the same result (success).
Thanks,
Mike
>
> and restart the httpd service, then try your commands again. You should get a bit more detail in /var/log/httpd/error_log about the request sent in and the response.
>
> You probably don't want to leave this enabled for too long.
>
> rob
>
>
>
More information about the Freeipa-users
mailing list