[Freeipa-users] HBAC - expected behaviour?

Jan Pazdziora jpazdziora at redhat.com
Wed Feb 19 14:24:44 UTC 2014


On Tue, Feb 04, 2014 at 04:11:12AM +0000, Les Stott wrote:
> 
> If I access the host "host1" and remove allow_all from its defined HBAC rules in the web ui, jane can still access host1 via ssh (actually tested login).

I can see you've found the solution already but I'd like to go back to
this part.

You say that you have removed allow_all from its defined HBAC ruls
in the WebUI. However, when I try this on my FreeIPA server, I don't
see allow_all listed for any of my hosts (neither in the Direct nor
Indirect Membership listing).

Is it possible that you've added that host to allow_all on top of its
"Any Host" (aka Host category: all) manually and then removed it?

-- 
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat




More information about the Freeipa-users mailing list