[Freeipa-users] RFE: default hbac is too open
Matthew Barr
mbarr at snap-interactive.com
Tue Mar 5 21:13:14 UTC 2013
On Mar 5, 2013, at 9:15 AM, Rob Crittenden <rcritten at redhat.com> wrote:
> Артур Файзуллин wrote:
>> What rule must be present for replica to work? :) (in order to remove
>> allow-all rule)
>> I mean may be there is somewhere a guide to write rules for strict
>> allows?
>
> During the installation we check that communication works between the two servers, so ssh is needed between masters (https://fedorahosted.org/freeipa/ticket/3298). You should be able to use --skip-conncheck to avoid this.
>
> I don't think we have any suggestions for rules, just documentation on how to write them in general.
However, you could probably make a class of users - admins, for example - that can SSH to the KDC's. Who else would be making new replica's? You need the master passwords IIRC.
I would really love to have the ability to easily give certain classes of users SSH, and potentially only on certain servers.
That, plus the ability to change and set your password without ever logging into a system will allow us to really use IPA effectively. (We have users that don't use linux, and are in IPA only for LDAP & Kerberos auth against web apps.)
Matthew
Matthew Barr
Technical Architect
E: mbarr at snap-interactive.com
AIM: matthewbarr1
c: (646) 727-0535
More information about the Freeipa-users
mailing list