On ma, 23 heinä 2018, lejeczek via FreeIPA-users wrote:
hi guys
I wonder, and hope you guys could tell if it's possible in IPA, when
there is one-way trust established between AD & IPA, to allow only
certain account to login & access IPA's resources?
An ideal scenario I'm looking for is where all users from AD are
initially disallowed to login & access IPA domain, and then admin can
allow such user on per user or group basis.
Is something like that "built-in" IPA's feature?
HBAC rules were
created for that reason -- if you create explicit rules
to allow access where required and then disable 'allow_all' rule, you'd
achieve it. Remember that you need to include a POSIX group your AD users
are member of into HBAC rules because that's how SSSD enforces the
rules on POSIX level.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland