hi guys
I wonder, and hope you guys could tell if it's possible in IPA, when there is one-way trust established between AD & IPA, to allow only certain account to login & access IPA's resources?
An ideal scenario I'm looking for is where all users from AD are initially disallowed to login & access IPA domain, and then admin can allow such user on per user or group basis.
Is something like that "built-in" IPA's feature?
many thanks, L.
On ma, 23 heinä 2018, lejeczek via FreeIPA-users wrote:
hi guys
I wonder, and hope you guys could tell if it's possible in IPA, when there is one-way trust established between AD & IPA, to allow only certain account to login & access IPA's resources?
An ideal scenario I'm looking for is where all users from AD are initially disallowed to login & access IPA domain, and then admin can allow such user on per user or group basis.
Is something like that "built-in" IPA's feature?
HBAC rules were created for that reason -- if you create explicit rules to allow access where required and then disable 'allow_all' rule, you'd achieve it. Remember that you need to include a POSIX group your AD users are member of into HBAC rules because that's how SSSD enforces the rules on POSIX level.
On 23/07/18 09:33, Alexander Bokovoy wrote:
On ma, 23 heinä 2018, lejeczek via FreeIPA-users wrote:
hi guys
I wonder, and hope you guys could tell if it's possible in IPA, when there is one-way trust established between AD & IPA, to allow only certain account to login & access IPA's resources?
An ideal scenario I'm looking for is where all users from AD are initially disallowed to login & access IPA domain, and then admin can allow such user on per user or group basis.
Is something like that "built-in" IPA's feature?
HBAC rules were created for that reason -- if you create explicit rules to allow access where required and then disable 'allow_all' rule, you'd achieve it. Remember that you need to include a POSIX group your AD users are member of into HBAC rules because that's how SSSD enforces the rules on POSIX level.
I should now start looking into HBAC.
On possibly off-topic issue. Where would a windows client box be standing in such a scenario? Is it possible to have windows box somehow adhere and follow? Example with a login being allow/deny. Is this outside of IPA's location & scope and only AD policies can achieve this or IPA could manage such a windows box?
many thanks, L.
On pe, 27 heinä 2018, lejeczek wrote:
On 23/07/18 09:33, Alexander Bokovoy wrote:
On ma, 23 heinä 2018, lejeczek via FreeIPA-users wrote:
hi guys
I wonder, and hope you guys could tell if it's possible in IPA, when there is one-way trust established between AD & IPA, to allow only certain account to login & access IPA's resources?
An ideal scenario I'm looking for is where all users from AD are initially disallowed to login & access IPA domain, and then admin can allow such user on per user or group basis.
Is something like that "built-in" IPA's feature?
HBAC rules were created for that reason -- if you create explicit rules to allow access where required and then disable 'allow_all' rule, you'd achieve it. Remember that you need to include a POSIX group your AD users are member of into HBAC rules because that's how SSSD enforces the rules on POSIX level.
I should now start looking into HBAC.
On possibly off-topic issue. Where would a windows client box be standing in such a scenario? Is it possible to have windows box somehow adhere and follow? Example with a login being allow/deny. Is this outside of IPA's location & scope and only AD policies can achieve this or IPA could manage such a windows box?
It is outside of IPA. We do not support logging into Windows clients using IPA users.
On 23/07/2018 09:33, Alexander Bokovoy wrote:
On ma, 23 heinä 2018, lejeczek via FreeIPA-users wrote:
hi guys
I wonder, and hope you guys could tell if it's possible in IPA, when there is one-way trust established between AD & IPA, to allow only certain account to login & access IPA's resources?
An ideal scenario I'm looking for is where all users from AD are initially disallowed to login & access IPA domain, and then admin can allow such user on per user or group basis.
Is something like that "built-in" IPA's feature?
HBAC rules were created for that reason -- if you create explicit rules to allow access where required and then disable 'allow_all' rule, you'd achieve it. Remember that you need to include a POSIX group your AD users are member of into HBAC rules because that's how SSSD enforces the rules on POSIX level.
How could all AD users be caught in one go, or as one group?
I once found a doc talking about a technique(was it with regards to samba?) where all AD users were "mangled" in one group/gid(and by default I see each AD user has unique gid in IPA), but I cannot find this website now. Would that be one way of getting them into HBAC?
many thanks, L.
On to, 24 tammi 2019, lejeczek via FreeIPA-users wrote:
On 23/07/2018 09:33, Alexander Bokovoy wrote:
On ma, 23 heinä 2018, lejeczek via FreeIPA-users wrote:
hi guys
I wonder, and hope you guys could tell if it's possible in IPA, when there is one-way trust established between AD & IPA, to allow only certain account to login & access IPA's resources?
An ideal scenario I'm looking for is where all users from AD are initially disallowed to login & access IPA domain, and then admin can allow such user on per user or group basis.
Is something like that "built-in" IPA's feature?
HBAC rules were created for that reason -- if you create explicit rules to allow access where required and then disable 'allow_all' rule, you'd achieve it. Remember that you need to include a POSIX group your AD users are member of into HBAC rules because that's how SSSD enforces the rules on POSIX level.
How could all AD users be caught in one go, or as one group?
I once found a doc talking about a technique(was it with regards to samba?) where all AD users were "mangled" in one group/gid(and by default I see each AD user has unique gid in IPA), but I cannot find this website now. Would that be one way of getting them into HBAC?
Please read the documentation. Also, this topic was raised multiple times on this list in past.
There is an example for 'catching all' in
ipa help group
output.
freeipa-users@lists.fedorahosted.org