the easiest way to handle your situation is to create a new group
for
allowed hosts, add all current hosts then remove the 10 you care about.
Finally set up an auto-membership rule so all new hosts are
automatically added to that group.
You will have to monitor/remove any new "special" server you may add,
but this will work to obtain your "negate" rule in an easily
maintainable way.
HTH,
Simo.
On Mon, 2019-07-29 at 11:31 -0400, Rob Crittenden via FreeIPA-users
wrote:
> Christian Reiss via FreeIPA-users wrote:
> > Hey,
> >
> > I take it this is not possible an no one does this?
>
> It is not possible. HBAC only provides allow rules.
>
> rob
>
> >
> > -Chris.
> >
> > On 26/07/2019 17:00, Christian Reiss via FreeIPA-users wrote:
> > > Hey folks,
> > >
> > > We are running a lot of server, we nearly exhausted and allocated our
> > > /29 ipv6 allocation*.
> > >
> > > Let's say we have 10 really, really important servers that only a
> > > handful of people should be able to access. Everyone else not.
> > >
> > > So I have a fixed group of known "critical servers" and a
dynamic, ever
> > > changing group of "the rest". As I have not yet found a
"negate" option
> > > what is the smartest way to allow a fixed group to a fixed set of
> > > servers, while everyone else has access to everything else but this?
> > >
> > >
> > > Thanks and have a great weekend folks!
> > > -Chris.
> > >
> > > * Alternate facts disclaimer: The given number has been optimized to
> > > impress, bedazzle and to intimidate. The real number of host might be
> > > substantially smaller.
> > >
> > >
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > >
> >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...