On Mon, 2019-07-29 at 11:47 -0400, Simo Sorce via FreeIPA-users wrote: > Christina,
apologies for the typo, I meant "Christian" of course. > the easiest way to handle your situation is to create a new group for > allowed hosts, add all current hosts then remove the 10 you care about. > Finally set up an auto-membership rule so all new hosts are > automatically added to that group. > > You will have to monitor/remove any new "special" server you may add, > but this will work to obtain your "negate" rule in an easily > maintainable way. > > HTH, > Simo. > > On Mon, 2019-07-29 at 11:31 -0400, Rob Crittenden via FreeIPA-users > wrote: > > Christian Reiss via FreeIPA-users wrote: > > > Hey, > > > > > > I take it this is not possible an no one does this? > > > > It is not possible. HBAC only provides allow rules. > > > > rob > > > > > > > > -Chris. > > > > > > On 26/07/2019 17:00, Christian Reiss via FreeIPA-users wrote: > > > > Hey folks, > > > > > > > > We are running a lot of server, we nearly exhausted and allocated our > > > > /29 ipv6 allocation*. > > > > > > > > Let's say we have 10 really, really important servers that only a > > > > handful of people should be able to access. Everyone else not. > > > > > > > > So I have a fixed group of known "critical servers" and a dynamic, ever > > > > changing group of "the rest". As I have not yet found a "negate" option > > > > what is the smartest way to allow a fixed group to a fixed set of > > > > servers, while everyone else has access to everything else but this? > > > > > > > > > > > > Thanks and have a great weekend folks! > > > > -Chris. > > > > > > > > * Alternate facts disclaimer: The given number has been optimized to > > > > impress, bedazzle and to intimidate. The real number of host might be > > > > substantially smaller. > > > > > > > > > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > > To unsubscribe send an email to > > > > freeipa-users-le...@lists.fedorahosted.org > > > > Fedora Code of Conduct: > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > -- > Simo Sorce > RHEL Crypto Team > Red Hat, Inc > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org