Yes, it does. Thank you. On Mon, Apr 20, 2015 at 6:08 PM Srdjan Dutina <sdut...@gmail.com> wrote:
> Sorry for misunderstanding. > > I understand HBAC rules will not work for Centos 5. I just wanted to make > sure disabling "allow all" rule and adding new HBAC rules won't interfere > with AD users logging on Centos 5. > > On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy <aboko...@redhat.com> > wrote: > >> On Mon, 20 Apr 2015, Srdjan Dutina wrote: >> >Just found in >> >http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next >> >sentence: "If you have HBAC's allow_all rule disabled, you will need to >> >allow system-auth service on the FreeIPA master, so that authentication >> of >> >the AD users can be performed." >> >Is this true for FreeIPA 4.1.0 also and how could I do this? >> Either you are reading it wrong or I don't get where you want to apply >> HBAC rules because this is for IPA masters, not legacy clients per se. >> Yes, you nede to create HBAC service named 'system-auth' and grant >> access to it to AD users on IPA masters, but all it will allow you is to >> authenticate AD users via compat tree. >> >> If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD users >> cannot be checked by those rules. >> >> >> >> -- >> / Alexander Bokovoy >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project