[Freeipa-users] HBAC rules not applying to Solaris clients
Jakub Hrozek
jhrozek at redhat.com
Wed Aug 19 07:23:05 UTC 2015
On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote:
> On 08/15/2015 07:05 PM, Natxo Asenjo wrote:
> >
> >
> >On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden <rcritten at redhat.com
> ><mailto:rcritten at redhat.com>> wrote:
> >
> > sipazzo wrote:
> >
> >
> > and my users are able to authenticate to the directory but the hbac
> > rules are not being applied. Any user whether given access or not can
> > login to the Solaris systems. The "allow-all" rule has been disabled, my
> > nsswitch.conf file looks good and I have tried different configs of
> > pam.d, including the provided example to try to resolve the issue. Am I
> > missing some steps?
> >
> >
> > HBAC enforcement is provided by sssd so doesn't work in Solaris.
> >
> >
> >one might try using solaris' RBAC system:
> >
> >http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html
> >
> >You would have to distribute your changes to all solaris systems.
> >
> >There is a RBAC ldap schema
> >http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris,
> >but I have never tried using it with freeipa.
> >
> >--
> >Groeten,
> >natxo
>
> Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project:
>
> https://github.com/jhrozek/pam_hbac
btw I have quite a few changes from the last weeks, so yes, I'm still
working on this, but the progress is slow, RHEL maintenance tends to eat
most time..
More information about the Freeipa-users
mailing list