On Mon, Nov 30, 2015 at 11:18:15AM +0100, Alexander Skwar wrote: > > Hm, okay. But when I deactivate the "allow_all" rule, doesn't that also > change the "default" behaviour? I mean, by default, everything will > be allowed for everyone on every system.
No. > When I deactivate the allow_all - won't that mean, that nothing will > be allowed for everyone on all systems? That's right, nothing will be allowed. Disabling allow_all has the potential of making everything stop working. You need to plan carefully and replace the allow_all with tailored rules. For example, see http://www.freeipa.org/page/Howto/HBAC_and_allow_all -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project