[Freeipa-users] HBAC rules not applying to Solaris clients
sipazzo
sipazzo at yahoo.com
Wed Aug 19 21:31:24 UTC 2015
Thanks Bob, I have tried to implement this and cannot seem to get it to work for me even though it seems straightforward. I tried both with using a user.allow file and adding the netgroup to /etc/passwd as well as moving lines around in the pam.conf and many different versions of pam.conf but it results in either everyone being able to login or no one being able to login. Do you mind sharing your pam.conf with me?
I have the following relevant entries in nsswitch.conf
passwd: files ldapgroup: files ldapshadow: files ldapnetgroup: ldap
From: Bob <harvero at gmail.com>
To: Natxo Asenjo <natxo.asenjo at gmail.com>
Cc: Freeipa-users <freeipa-users at redhat.com>
Sent: Saturday, August 15, 2015 10:46 AM
Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients
For Solaris we are using the pam_list module to control which LDAP users can have system access. The pam_list module allow netgroups to be listed in a user.allow file.
On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden <rcritten at redhat.com> wrote:
sipazzo wrote:
and my users are able to authenticate to the directory but the hbac
rules are not being applied. Any user whether given access or not can
login to the Solaris systems. The "allow-all" rule has been disabled, my
nsswitch.conf file looks good and I have tried different configs of
pam.d, including the provided example to try to resolve the issue. Am I
missing some steps?
HBAC enforcement is provided by sssd so doesn't work in Solaris.
one might try using solaris' RBAC system:
http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html
You would have to distribute your changes to all solaris systems.
There is a RBAC ldap schema http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, but I have never tried using it with freeipa.
--
Groeten,
natxo
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150819/d05fa624/attachment.htm>
More information about the Freeipa-users
mailing list