[Freeipa-users] Can't add AD user group to IPA group
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 10 11:28:25 UTC 2015
On Tue, 10 Mar 2015, Guertin, David S. wrote:
>> > Seems the initial/default setup for IPA server is to put in an 'allow_all'
>> rule. Thus you can actively manage HBAC but out of the box, it is essentially
>> turned off by that rule.
>>
>> Yes. The default was the opposite very long time ago, you had to explicitly
>> enable access to the box. But it was causing too many user issues.
>
>OK, I have reinstalled the IPA server with the --no_hbac_allow flag
>(i.e. : ipa-server-install --no_hbac_allow), but the behavior remains
>the same. I can still see all AD users instead of just those in the
>particular group I've added.
>
>Is there something else that needs be done to override the allow_all setting?
Can you be more specific?
If you have allow_all HBAC rule enabled, it is just that -- any existing user
will be authorized to access any service on any host given they authenticate
successfully.
If you disabled allow_all rule, then some other rule may allow such
access but without more details about your configuration it is
impossible to say what are you doing.
On top of this you add confusion by saying "I can still see all AD
users" -- what do you mean by this?
Any substantiated shell output would definitely help here to understand
your issues.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list