[Freeipa-users] Can't add AD user group to IPA group
Jakub Hrozek
jhrozek at redhat.com
Tue Mar 10 11:30:52 UTC 2015
On Tue, Mar 10, 2015 at 11:14:21AM +0000, Guertin, David S. wrote:
> > > Seems the initial/default setup for IPA server is to put in an 'allow_all'
> > rule. Thus you can actively manage HBAC but out of the box, it is essentially
> > turned off by that rule.
> >
> > Yes. The default was the opposite very long time ago, you had to explicitly
> > enable access to the box. But it was causing too many user issues.
>
> OK, I have reinstalled the IPA server with the --no_hbac_allow flag (i.e. : ipa-server-install --no_hbac_allow), but the behavior remains the same. I can still see all AD users instead of just those in the particular group I've added.
>
> Is there something else that needs be done to override the allow_all setting?
Can you also login with them?
The HBAC rules don't prevent retrieving identity information, only
access to the system.
More information about the Freeipa-users
mailing list