On 23/07/2018 09:33, Alexander Bokovoy wrote:
On ma, 23 heinä 2018, lejeczek via FreeIPA-users wrote:
> hi guys
>
> I wonder, and hope you guys could tell if it's possible in IPA, when
> there is one-way trust established between AD & IPA, to allow only
> certain account to login & access IPA's resources?
>
> An ideal scenario I'm looking for is where all users from AD are
> initially disallowed to login & access IPA domain, and then admin can
> allow such user on per user or group basis.
>
> Is something like that "built-in" IPA's feature?
HBAC rules were created for that reason -- if you create explicit rules
to allow access where required and then disable 'allow_all' rule, you'd
achieve it. Remember that you need to include a POSIX group your AD users
are member of into HBAC rules because that's how SSSD enforces the
rules on POSIX level.
How could all AD users be caught in one go, or as one group?
I once found a doc talking about a technique(was it with regards to
samba?) where all AD users were "mangled" in one group/gid(and by
default I see each AD user has unique gid in IPA), but I cannot find
this website now. Would that be one way of getting them into HBAC?
many thanks, L.