Ah I would love to help but have only been a Unix sysadmin for a couple years now (came from Windows side of house) and have little coding ability. Still happy to help in any way I can though if you can find a place/need for me. You have all been very helpful to me so I would like to give back if I can. From: Jakub Hrozek <jhro...@redhat.com> To: Martin Kosek <mko...@redhat.com> Cc: Freeipa-users <freeipa-users@redhat.com> Sent: Wednesday, August 19, 2015 12:23 AM Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote: > On 08/15/2015 07:05 PM, Natxo Asenjo wrote: > > > > > >On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden <rcrit...@redhat.com > ><mailto:rcrit...@redhat.com>> wrote: > > > > sipazzo wrote: > > > > > > and my users are able to authenticate to the directory but the hbac > > rules are not being applied. Any user whether given access or not can > > login to the Solaris systems. The "allow-all" rule has been > >disabled, my > > nsswitch.conf file looks good and I have tried different configs of > > pam.d, including the provided example to try to resolve the issue. > >Am I > > missing some steps? > > > > > > HBAC enforcement is provided by sssd so doesn't work in Solaris. > > > > > >one might try using solaris' RBAC system: > > > >http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html > > > >You would have to distribute your changes to all solaris systems. > > > >There is a RBAC ldap schema > >http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for > >solaris, > >but I have never tried using it with freeipa. > > > >-- > >Groeten, > >natxo > > Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project: > > https://github.com/jhrozek/pam_hbac
btw I have quite a few changes from the last weeks, so yes, I'm still working on this, but the progress is slow, RHEL maintenance tends to eat most time.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
