[Freeipa-users] Active Directory users are not controlled by HBAC
Birnbaum, Warren (ETW)
Warren.Birnbaum at nike.com
Fri Jan 22 13:36:36 UTC 2016
Thanks for you reply. I understand what you are saying but don¹t see how
this would work because Allow_All is my current situation (even with this
rule disabled). My understand is you can¹t restrict through a rule, only
limit. I am missing something?
On 1/22/16, 1:51 PM, "freeipa-users-bounces at redhat.com on behalf of Jakub
Hrozek" <freeipa-users-bounces at redhat.com on behalf of jhrozek at redhat.com>
wrote:
>On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote:
>> Hi.
>>
>> I have a been successful using Freeipa 4.1 configuring active directory
>>users and with sudo. The problem I am having is that the HBAC rules are
>>not applying to my active directory users. They have access to all
>>systems even if I disable my Allow_ALL rule. Is there something special
>>I should be doing to domain?
>
>Normally HBAC for AD users should be done through an external group you
>add the AD users or groups to, then add the external group to a regular
>IPA group and reference this IPA group from HBAC rules.
>
>There have been bugs related to external groups resolution, so please
>update to the latest IPA and SSSD packages also.
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list