I am considering the Host Based Access Control features to help manage things in our infrastructure that cannot be ipa-clients - like network hardware (switches, routers) With the understanding that my servers do not run the DNS, can I create such hosts to use in host groups and HBAC rules ? ______________________________________________________________________________________________
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote:
I am considering the Host Based Access Control features to help manage things in our infrastructure that cannot be ipa-clients - like network hardware (switches, routers)
With the understanding that my servers do not run the DNS, can I create such hosts to use in host groups and HBAC rules ?
You can create hosts that don't exist in DNS using --force on the command-line. I'm pretty sure there is the equivalent in the WUI.
And sure you could add them to HBAC rules but enforcement happens on the client and if the client isn't running sssd with the IPA backend...
rob
Food for thought. Thanks, Rob ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
From: Rob Crittenden rcritten@redhat.com Date: Tuesday, January 14, 2020 at 14:21 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Daniel White daniel.e.white@nasa.gov Subject: [EXTERNAL] Re: [Freeipa-users] Adding Hosts that are not ipa-clients ?
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: I am considering the Host Based Access Control features to help manage things in our infrastructure that cannot be ipa-clients - like network hardware (switches, routers) With the understanding that my servers do not run the DNS, can I create such hosts to use in host groups and HBAC rules ?
You can create hosts that don't exist in DNS using --force on the command-line. I'm pretty sure there is the equivalent in the WUI.
And sure you could add them to HBAC rules but enforcement happens on the client and if the client isn't running sssd with the IPA backend...
rob
freeipa-users@lists.fedorahosted.org