[Freeipa-users] HBAC Test - web vs command line - returns different results
Rob Crittenden
rcritten at redhat.com
Mon Sep 17 14:33:29 UTC 2012
Michael Mercier wrote:
> On 2012-09-08, at 11:08 AM, Dmitri Pal wrote:
>
>> On 08/31/2012 09:33 AM, Michael Mercier wrote:
>>> Hello,
>>>
>>> I seem to be having a problem with the HBAC test:
>>>
>>> Versions:
>>> [root at ipaserver ipatest]# rpm -qa|grep ^ipa
>>> ipa-server-2.2.0-16.el6.x86_64
>>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>> ipa-python-2.2.0-16.el6.x86_64
>>> ipa-admintools-2.2.0-16.el6.x86_64
>>> ipa-server-selinux-2.2.0-16.el6.x86_64
>>> ipa-client-2.2.0-16.el6.x86_64
>>>
>>>
>>> On the web console:
>>>
>>> Browse to HBAC TEST
>>>
>>> Who: mike
>>> Accessing: pix.beta.local
>>> Via service: tac_plus
>>> From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect)
>>> Rules: tacacs
>>>
>>> Run Test -> Access Granted with matched rules showing tacacs
>>>
>>> On the command line:
>>>
>>> ipa hbactest
>>> User name: mike
>>> Target Host: pix.beta.local
>>> Service: tac_plus
>>> ---------------------
>>> Access granted: False
>>> ---------------------
>>> Not matched rules: tacacs
>>>
>>> tacacs rule:
>>> General: Enabled
>>> Who: user group: ciscoadmin -> mike is a member
>>> accessing: cisco-devices -> pix.beta.local is a member
>>> Via Service: tac_plus
>>> From: any host
>>>
>>> NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present)
>>>
>>> Any ideas?
>>>
>>> Thanks,
>>> Mike
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>> I do not know whether this issue was resolved. Hope it was on the IRC or
>> in some other way.
>>
>> The problem above is related to the "from host" I believe.
>> Please do not use the "from host". The whole concept is a bit broken and
>> not reliable.
>
> I don't seem to be able to *not* select a 'from host' with the web console, I get:
>
> Input form contains invalid of missing values.
>
> Missing values:
> Source host.
I believe this value is ignored anyway.
This is very strange as the same backend is used to evaluate both the
web and cli rules.
It might be helpful to crank up debugging to get more details on what is
being passed in. Perhaps there is some subtle difference.
If you want to give this a go, edit /etc/ipa/default.conf and add
debug = True
and restart the httpd service, then try your commands again. You should
get a bit more detail in /var/log/httpd/error_log about the request sent
in and the response.
You probably don't want to leave this enabled for too long.
rob
More information about the Freeipa-users
mailing list