------
"The antidote to apocalypticism is apocalyptic civics. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "

Greg Bloom @greggish https://twitter.com/greggish/status/873177525903609857

On 8 December 2017 at 00:20, Rob Crittenden <rcritten@redhat.com> wrote:
Lachlan Musicman via FreeIPA-users wrote:
> Stupid question, but to stop anyone from logging in anywhere - for
> instance during a maintenance period - is there an easy maintenance mode
> in IPA?
>
> Or is the best method to disable all HBAC rules?

I guess it depends on what maintenance you're talking about, and where.

If it's general maintenance in your infrastructure then yeah, HBAC rules
seems a good place to start. I guess just leave one rule active, the
rule that lets the administrators log in.

There is no knob in IPA to do this.

Because we still have root access we decided on:

while read -r line ; do ipa hbacrule-disable "$line"; done < <( ipa hbacrule-find --pkey-only |  grep : | cut -d: -f2-)
while read -r line ; do ipa hbacrule-disable "$line"; done < <( ipa hbacrule-find --pkey-only |  grep : | grep -v allow_all | cut -d: -f2-)

Which is sort of hacky, but sufficient.

Cheers
L.