On pe, 27 heinä 2018, lejeczek wrote:
On 23/07/18 09:33, Alexander Bokovoy wrote:
>On ma, 23 heinä 2018, lejeczek via FreeIPA-users wrote:
>>hi guys
>>
>>I wonder, and hope you guys could tell if it's possible in IPA,
>>when there is one-way trust established between AD & IPA, to allow
>>only certain account to login & access IPA's resources?
>>
>>An ideal scenario I'm looking for is where all users from AD are
>>initially disallowed to login & access IPA domain, and then admin
>>can allow such user on per user or group basis.
>>
>>Is something like that "built-in" IPA's feature?
>HBAC rules were created for that reason -- if you create explicit rules
>to allow access where required and then disable 'allow_all' rule, you'd
>achieve it. Remember that you need to include a POSIX group your AD users
>are member of into HBAC rules because that's how SSSD enforces the
>rules on POSIX level.
>
I should now start looking into HBAC.
On possibly off-topic issue. Where would a windows client box be
standing in such a scenario? Is it possible to have windows box
somehow adhere and follow? Example with a login being allow/deny. Is
this outside of IPA's location & scope and only AD policies can
achieve this or IPA could manage such a windows box?
It is outside of IPA. We do not
support logging into Windows clients
using IPA users.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland