Stupid question, but to stop anyone from logging in anywhere - for instance during a maintenance period - is there an easy maintenance mode in IPA?
Or is the best method to disable all HBAC rules?
cheers L. ------ "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "
*Greg Bloom* @greggish https://twitter.com/greggish/status/873177525903609857
Lachlan Musicman via FreeIPA-users wrote:
Stupid question, but to stop anyone from logging in anywhere - for instance during a maintenance period - is there an easy maintenance mode in IPA?
Or is the best method to disable all HBAC rules?
I guess it depends on what maintenance you're talking about, and where.
If it's general maintenance in your infrastructure then yeah, HBAC rules seems a good place to start. I guess just leave one rule active, the rule that lets the administrators log in.
There is no knob in IPA to do this.
rob
------ "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "
*Greg Bloom* @greggish https://twitter.com/greggish/status/873177525903609857
On 8 December 2017 at 00:20, Rob Crittenden rcritten@redhat.com wrote:
Lachlan Musicman via FreeIPA-users wrote:
Stupid question, but to stop anyone from logging in anywhere - for instance during a maintenance period - is there an easy maintenance mode in IPA?
Or is the best method to disable all HBAC rules?
I guess it depends on what maintenance you're talking about, and where.
If it's general maintenance in your infrastructure then yeah, HBAC rules seems a good place to start. I guess just leave one rule active, the rule that lets the administrators log in.
There is no knob in IPA to do this.
Because we still have root access we decided on:
while read -r line ; do ipa hbacrule-disable "$line"; done < <( ipa hbacrule-find --pkey-only | grep : | cut -d: -f2-) while read -r line ; do ipa hbacrule-disable "$line"; done < <( ipa hbacrule-find --pkey-only | grep : | grep -v allow_all | cut -d: -f2-)
Which is sort of hacky, but sufficient.
Cheers L.
freeipa-users@lists.fedorahosted.org