[Freeipa-users] HBAC rules not applying to Solaris clients
Bob
harvero at gmail.com
Sat Aug 15 17:46:36 UTC 2015
For Solaris we are using the pam_list module to control which LDAP users
can have system access. The pam_list module allow netgroups to be listed in
a user.allow file.
On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo <natxo.asenjo at gmail.com>
wrote:
>
>
> On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden <rcritten at redhat.com>
> wrote:
>
>> sipazzo wrote:
>>
>>>
>>> and my users are able to authenticate to the directory but the hbac
>>> rules are not being applied. Any user whether given access or not can
>>> login to the Solaris systems. The "allow-all" rule has been disabled, my
>>> nsswitch.conf file looks good and I have tried different configs of
>>> pam.d, including the provided example to try to resolve the issue. Am I
>>> missing some steps?
>>>
>>
>> HBAC enforcement is provided by sssd so doesn't work in Solaris.
>>
>
> one might try using solaris' RBAC system:
>
>
> http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html
>
> You would have to distribute your changes to all solaris systems.
>
> There is a RBAC ldap schema
> http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for
> solaris, but I have never tried using it with freeipa.
>
> --
> Groeten,
> natxo
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150815/6a372b56/attachment.htm>
More information about the Freeipa-users
mailing list