On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: > On 08/31/2012 09:33 AM, Michael Mercier wrote: >> Hello, >> >> I seem to be having a problem with the HBAC test: >> >> Versions: >> [root@ipaserver ipatest]# rpm -qa|grep ^ipa >> ipa-server-2.2.0-16.el6.x86_64 >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> ipa-python-2.2.0-16.el6.x86_64 >> ipa-admintools-2.2.0-16.el6.x86_64 >> ipa-server-selinux-2.2.0-16.el6.x86_64 >> ipa-client-2.2.0-16.el6.x86_64 >> >> >> On the web console: >> >> Browse to HBAC TEST >> >> Who: mike >> Accessing: pix.beta.local >> Via service: tac_plus >> From: ipaclient.beta.local (correct me if I am wrong, but I don't believe >> this has any effect) >> Rules: tacacs >> >> Run Test -> Access Granted with matched rules showing tacacs >> >> On the command line: >> >> ipa hbactest >> User name: mike >> Target Host: pix.beta.local >> Service: tac_plus >> --------------------- >> Access granted: False >> --------------------- >> Not matched rules: tacacs >> >> tacacs rule: >> General: Enabled >> Who: user group: ciscoadmin -> mike is a member >> accessing: cisco-devices -> pix.beta.local is a member >> Via Service: tac_plus >> From: any host >> >> NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is >> still present) >> >> Any ideas? >> >> Thanks, >> Mike >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > I do not know whether this issue was resolved. Hope it was on the IRC or > in some other way. > > The problem above is related to the "from host" I believe. > Please do not use the "from host". The whole concept is a bit broken and > not reliable.
I don't seem to be able to *not* select a 'from host' with the web console, I get: Input form contains invalid of missing values. Missing values: Source host. Thanks, Mike _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users