[Freeipa-users] Re: HBAC: Negate?

Christina,

the easiest way to handle your situation is to create a new group for allowed hosts, add all current hosts then remove the 10 you care about. Finally set up an auto-membership rule so all new hosts are automatically added to that group. You will have to monitor/remove any new "special" server you may add, but this will work to obtain your "negate" rule in an easily maintainable way. HTH, Simo. On Mon, 2019-07-29 at 11:31 -0400, Rob Crittenden via FreeIPA-users wrote: > Christian Reiss via FreeIPA-users wrote: > > Hey, > > > > I take it this is not possible an no one does this? > > It is not possible. HBAC only provides allow rules. > > rob > > > > > -Chris. > > > > On 26/07/2019 17:00, Christian Reiss via FreeIPA-users wrote: > > > Hey folks, > > > > > > We are running a lot of server, we nearly exhausted and allocated our > > > /29 ipv6 allocation*. > > > > > > Let's say we have 10 really, really important servers that only a > > > handful of people should be able to access. Everyone else not. > > > > > > So I have a fixed group of known "critical servers" and a dynamic, ever > > > changing group of "the rest". As I have not yet found a "negate" option > > > what is the smartest way to allow a fixed group to a fixed set of > > > servers, while everyone else has access to everything else but this? > > > > > > > > > Thanks and have a great weekend folks! > > > -Chris. > > > > > > * Alternate facts disclaimer: The given number has been optimized to > > > impress, bedazzle and to intimidate. The real number of host might be > > > substantially smaller. > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > > > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...