[Freeipa-users] HBAC and SUDO rules for legacy clients

Dmitri Pal dpal at redhat.com
Mon Apr 20 21:26:18 UTC 2015 

On 04/20/2015 12:08 PM, Srdjan Dutina wrote:
> Sorry for misunderstanding.
>
> I understand HBAC rules will not work for Centos 5. I just wanted to 
> make sure disabling "allow all" rule and adding new HBAC rules won't 
> interfere with AD users logging on Centos 5.

To clarify:
CentOS 5 needs to point to compat tree for AD users to authenticate.
You need to use LDAP SSSD back end for that not IPA SSSD back end 
(idenity_provider setting in sssd.conf).
Once you use LDAP back end you need to use some other access control 
configuration not HBAC as HBAC comes when you use IPA SSSD back end only.
You can use ldap filter or simple acces provider or something other 
option that is support in SSSD 1.5 against LDAP.

Does this make sense?


>
> On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy <abokovoy at redhat.com 
> <mailto:abokovoy at redhat.com>> wrote:
>
>     On Mon, 20 Apr 2015, Srdjan Dutina wrote:
>     >Just found in
>     >http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf
>     the next
>     >sentence: "If you have HBAC's allow_all rule disabled, you will
>     need to
>     >allow system-auth service on the FreeIPA  master, so that
>     authentication of
>     >the AD users can be performed."
>     >Is this true for FreeIPA 4.1.0 also and how could I do this?
>     Either you are reading it wrong or I don't get where you want to apply
>     HBAC rules because this is for IPA masters, not legacy clients per se.
>     Yes, you nede to create HBAC service named 'system-auth' and grant
>     access to it to AD users on IPA masters, but all it will allow you
>     is to
>     authenticate AD users via compat tree.
>
>     If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD
>     users
>     cannot be checked by those rules.
>
>
>
>     --
>     / Alexander Bokovoy
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150420/ac958c32/attachment.htm>

More information about the Freeipa-users mailing list