On Аўт, 28 сту 2025, Houser, Janet L. via FreeIPA-users wrote:
Hi Rob,
By definition non-POSIX groups are not visible to SSSD. Non-POSIX groups
are used to organize things within IPA only so that the group namespace
isn't polluted with things are organization-specific. Like you did for
your HBAC group. But that group won't be visible on the system.
If you want that group to be visible it will need to be a POSIX group.
rob
Thank you for the quick response! Since the HBAC rules work nicely
restricting users to computers, I think I'll just go that route.
Also, HBAC rules only work with 'ipa' provider. You cannot have it with
'ldap' or 'ad' provider.
Finally, non-POSIX groups cannot be used in HBAC rules because HBAC
rules evaluated by SSSD on the actual system against POSIX user's group
membership which, unsurprisingly, is comprised of POSIX groups
membership.
Having "getent" show only users with login access is a "nice to have" so
maybe I'll look into that more at a later date.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
