On to, 24 tammi 2019, lejeczek via FreeIPA-users wrote:
On 23/07/2018 09:33, Alexander Bokovoy wrote:
> On ma, 23 heinä 2018, lejeczek via FreeIPA-users wrote:
>> hi guys
>> I wonder, and hope you guys could tell if it's possible in IPA, when
>> there is one-way trust established between AD & IPA, to allow only
>> certain account to login & access IPA's resources?
>> An ideal scenario I'm looking for is where all users from AD are
>> initially disallowed to login & access IPA domain, and then admin can
>> allow such user on per user or group basis.
>> Is something like that "built-in" IPA's feature?
> HBAC rules were created for that reason -- if you create explicit rules
> to allow access where required and then disable 'allow_all' rule, you'd
> achieve it. Remember that you need to include a POSIX group your AD users
> are member of into HBAC rules because that's how SSSD enforces the
> rules on POSIX level.
How could all AD users be caught in one go, or as one group?
I once found a doc talking about a technique(was it with regards to
samba?) where all AD users were "mangled" in one group/gid(and by
default I see each AD user has unique gid in IPA), but I cannot find
this website now. Would that be one way of getting them into HBAC?
Please read the
documentation. Also, this topic was raised multiple
times on this list in past.
There is an example for 'catching all' in
ipa help group
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland