Check that FreeIPA's HBAC rules are respected after using realmd to join the current machine to a FreeIPA domain.
- If you haven't already, run through the test case to join the domain.
How to test
- The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser")
- Make sure you have freeipa-admintools installed
# yum install freeipa-admintools
- Create a FreeIPA user (after acquiring admin credentials)
$ kinit admin
$ ipa user-add testuser --first test --last user --password
- Create an HBAC rule that allows access to the user you just created
$ ipa hbacrule-add testrule --servicecat=all --hostcat=all
$ ipa hbacrule-add-user testrule --users=testuser
- Disable the default rule that allows access to everyone
$ ipa hbacrule-disable allow_all
- On the system that joined the domain, change the testuser password for the first time.
$ kinit testuser@IPA.EXAMPLE.ORG
- You will be prompted to enter a new password here
- On the system that joined the domain, switch to another VT (press
- Log in as the admin should fail.
host login: firstname.lastname@example.org
- You should see 'Permission Denied' appear for a second or two
- Login should not be possible
- Now log in as test user, this should succeed.
host login: email@example.com
- The login should complete, and you should get to a standard unix shell prompt.
More testing - offline logins
- Before the test, make sure that credential caching is enabled on the client
/etc/sssd/sssd.confin your editor of choice
- Make sure that
cache_credentials=Trueis present in the
[domain]section of sssd.conf
- Restart the SSSD if you modified the config file:
service sssd restart
- Perform one more login online to cache the credentials
- Disconnect the client from the network. As root, shut down the NM service:
# service NetworkManager stop
- Log in as the test user again. The login should succeed.
- Don't forget to start the networking again to make sure you're able to run the cleanup
Clean-up after the test
Enable the allow_all rule again to avoid interference with other Test cases:
$ kinit admin $ ipa hbacrule-enable allow_all