[Freeipa-users] HBAC rules not applying to Solaris clients
Martin Kosek
mkosek at redhat.com
Tue Aug 18 19:05:14 UTC 2015
On 08/15/2015 07:05 PM, Natxo Asenjo wrote:
>
>
> On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> sipazzo wrote:
>
>
> and my users are able to authenticate to the directory but the hbac
> rules are not being applied. Any user whether given access or not can
> login to the Solaris systems. The "allow-all" rule has been disabled, my
> nsswitch.conf file looks good and I have tried different configs of
> pam.d, including the provided example to try to resolve the issue. Am I
> missing some steps?
>
>
> HBAC enforcement is provided by sssd so doesn't work in Solaris.
>
>
> one might try using solaris' RBAC system:
>
> http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html
>
> You would have to distribute your changes to all solaris systems.
>
> There is a RBAC ldap schema
> http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris,
> but I have never tried using it with freeipa.
>
> --
> Groeten,
> natxo
Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project:
https://github.com/jhrozek/pam_hbac
:-)
Martin
More information about the Freeipa-users
mailing list