Re: [Freeipa-users] HBAC Test - web vs command line - returns different results

Mon, 17 Sep 2012 07:35:20 -0700 

Michael Mercier wrote:

On 2012-09-08, at 11:08 AM, Dmitri Pal wrote:


On 08/31/2012 09:33 AM, Michael Mercier wrote:

Hello,

I seem to be having a problem with the HBAC test:

Versions:
[root@ipaserver ipatest]# rpm -qa|grep ^ipa
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64


On the web console:

Browse to HBAC TEST

Who: mike
Accessing: pix.beta.local
Via service: tac_plus
From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this 
has any effect)
Rules: tacacs

Run Test -> Access Granted with matched rules showing tacacs

On the command line:

ipa hbactest
User name: mike
Target Host: pix.beta.local
Service: tac_plus
---------------------
Access granted: False
---------------------
  Not matched rules: tacacs

tacacs rule:
General: Enabled
Who: user group: ciscoadmin -> mike is a member
accessing: cisco-devices -> pix.beta.local is a member
Via Service: tac_plus
From: any host

NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is 
still present)

Any ideas?

Thanks,
Mike

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



I do not know whether this issue was resolved. Hope it was on the IRC or
in some other way.

The problem above is related to the "from host" I believe.
Please do not use the "from host". The whole concept is a bit broken and
not reliable.


I don't seem to be able to *not* select a 'from host' with the web console, I 
get:

Input form contains invalid of missing values.

Missing values:
      Source host.


I believe this value is ignored anyway.
This is very strange as the same backend is used to evaluate both the web and cli rules.
It might be helpful to crank up debugging to get more details on what is being passed in. Perhaps there is some subtle difference. 

If you want to give this a go, edit /etc/ipa/default.conf and add

debug = True
and restart the httpd service, then try your commands again. You should get a bit more detail in /var/log/httpd/error_log about the request sent in and the response. 

You probably don't want to leave this enabled for too long.

rob



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to