[Freeipa-users] Re: de/selecting AD's users
On 23/07/18 09:33, Alexander Bokovoy wrote:
On ma, 23 heinä 2018, lejeczek via FreeIPA-users wrote:
> hi guys
>
> I wonder, and hope you guys could tell if it's possible in IPA, when
> there is one-way trust established between AD & IPA, to allow only
> certain account to login & access IPA's resources?
>
> An ideal scenario I'm looking for is where all users from AD are
> initially disallowed to login & access IPA domain, and then admin can
> allow such user on per user or group basis.
>
> Is something like that "built-in" IPA's feature?
HBAC rules were created for that reason -- if you create explicit rules
to allow access where required and then disable 'allow_all' rule, you'd
achieve it. Remember that you need to include a POSIX group your AD users
are member of into HBAC rules because that's how SSSD enforces the
rules on POSIX level.
I should now start looking into HBAC.
On possibly off-topic issue. Where would a windows client box be
standing in such a scenario? Is it possible to have windows box somehow
adhere and follow? Example with a login being allow/deny. Is this
outside of IPA's location & scope and only AD policies can achieve this
or IPA could manage such a windows box?
many thanks, L.