On pe, 27 heinä 2018, lejeczek wrote:
On 23/07/18 09:33, Alexander Bokovoy wrote:
On ma, 23 heinä 2018, lejeczek via FreeIPA-users wrote:
hi guys
I wonder, and hope you guys could tell if it's possible in IPA,
when there is one-way trust established between AD & IPA, to allow
only certain account to login & access IPA's resources?
An ideal scenario I'm looking for is where all users from AD are
initially disallowed to login & access IPA domain, and then admin
can allow such user on per user or group basis.
Is something like that "built-in" IPA's feature?
HBAC rules were created for that reason -- if you create explicit rules
to allow access where required and then disable 'allow_all' rule, you'd
achieve it. Remember that you need to include a POSIX group your AD users
are member of into HBAC rules because that's how SSSD enforces the
rules on POSIX level.
I should now start looking into HBAC.
On possibly off-topic issue. Where would a windows client box be
standing in such a scenario? Is it possible to have windows box
somehow adhere and follow? Example with a login being allow/deny. Is
this outside of IPA's location & scope and only AD policies can
achieve this or IPA could manage such a windows box?
It is outside of IPA. We do not support logging into Windows clients
using IPA users.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/XZY3J6JWQJDW4LPVJHQPBC3RYWEBBJQX/
