[Freeipa-users] HBAC rules not applying to Solaris clients
sipazzo
sipazzo at yahoo.com
Wed Aug 19 18:27:35 UTC 2015
Ah I would love to help but have only been a Unix sysadmin for a couple years now (came from Windows side of house) and have little coding ability. Still happy to help in any way I can though if you can find a place/need for me. You have all been very helpful to me so I would like to give back if I can.
From: Jakub Hrozek <jhrozek at redhat.com>
To: Martin Kosek <mkosek at redhat.com>
Cc: Freeipa-users <freeipa-users at redhat.com>
Sent: Wednesday, August 19, 2015 12:23 AM
Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients
On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote:
> On 08/15/2015 07:05 PM, Natxo Asenjo wrote:
> >
> >
> >On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden <rcritten at redhat.com
> ><mailto:rcritten at redhat.com>> wrote:
> >
> > sipazzo wrote:
> >
> >
> > and my users are able to authenticate to the directory but the hbac
> > rules are not being applied. Any user whether given access or not can
> > login to the Solaris systems. The "allow-all" rule has been disabled, my
> > nsswitch.conf file looks good and I have tried different configs of
> > pam.d, including the provided example to try to resolve the issue. Am I
> > missing some steps?
> >
> >
> > HBAC enforcement is provided by sssd so doesn't work in Solaris.
> >
> >
> >one might try using solaris' RBAC system:
> >
> >http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html
> >
> >You would have to distribute your changes to all solaris systems.
> >
> >There is a RBAC ldap schema
> >http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris,
> >but I have never tried using it with freeipa.
> >
> >--
> >Groeten,
> >natxo
>
> Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project:
>
> https://github.com/jhrozek/pam_hbac
btw I have quite a few changes from the last weeks, so yes, I'm still
working on this, but the progress is slow, RHEL maintenance tends to eat
most time..
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150819/f56e3f03/attachment.htm>
More information about the Freeipa-users
mailing list