Re: [Freeipa-users] HBAC rules not applying to Solaris clients

Mon, 17 Aug 2015 11:41:50 -0700 

Ok thanks all. I will look into pam_list, integrating with the Solaris RBAC is 
probably beyond me as I am not that Solaris savvy and there is no documentation 
on using it with freeipa that I see.
I tried using AllowGroups in sshd_config on Solaris to restrict access but it 
only seems to work with primary group membership. Is this expected? From 
reading documentation it should work with secondary/supplementary documentation 
as well. Let me know if you have found a way around that please.
      From: Bob <[email protected]>
 To: Natxo Asenjo <[email protected]> 
Cc: Freeipa-users <[email protected]> 
 Sent: Saturday, August 15, 2015 10:46 AM
 Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients
   

For Solaris we are using the pam_list module to control which LDAP users can 
have system access. The pam_list module allow netgroups to be listed in a 
user.allow file. 

On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo <[email protected]> wrote:





On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden <[email protected]> wrote:

sipazzo wrote:


and my users are able to authenticate to the directory but the hbac
rules are not being applied. Any user whether given access or not can
login to the Solaris systems. The "allow-all" rule has been disabled, my
nsswitch.conf file looks good and I have tried different configs of
pam.d, including the provided example to try to resolve the issue. Am I
missing some steps?


HBAC enforcement is provided by sssd so doesn't work in Solaris.


one might try using solaris' RBAC system:

http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html

You would have to distribute your changes to all solaris systems.

There is a RBAC ldap schema 
http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, 
but I have never tried using it with freeipa. 

--
Groeten,
natxo
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

   
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to