From Fedora Project Wiki

Revision as of 06:48, 9 May 2013 by Stefw (talk | contribs) (Update requirements)


Check that FreeIPA's HBAC rules are respected after using realmd to join the current machine to a FreeIPA domain.


  1. If you haven't already, run through the test case to join the domain.

How to test

  1. The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser")
  2. Make sure you have freeipa-admintools installed
    # yum install freeipa-admintools
  3. Create a FreeIPA user (after acquiring admin credentials)
    $ kinit admin
    $ ipa user-add testuser --first test --last user --password
  4. Create an HBAC rule that allows access to the user you just created
    $ ipa hbacrule-add testrule --servicecat=all --hostcat=all
    $ ipa hbacrule-add-user testrule --users=testuser
  5. Disable the default rule that allows access to everyone
    $ ipa hbacrule-disable allow_all
  6. On the system that joined the domain, change the testuser password for the first time.
    $ kinit testuser@IPA.EXAMPLE.ORG
    You will be prompted to enter a new password here

Expected Results

  1. On the system that joined the domain, switch to another VT (press Ctrl-Alt-F4).
  2. Log in as the admin should fail.
    host login:
    You should see 'Permission Denied' appear for a second or two
    Login should not be possible
  3. Now log in as test user, this should succeed.
    host login:
    The login should complete, and you should get to a standard unix shell prompt.

More testing - offline logins

  1. Before the test, make sure that credential caching is enabled on the client
    open /etc/sssd/sssd.conf in your editor of choice
    Make sure that cache_credentials=True is present in the [domain] section of sssd.conf
    Restart the SSSD if you modified the config file: service sssd restart
  2. Perform one more login online to cache the credentials
    Disconnect the client from the network. As root, shut down the NM service:
    # service NetworkManager stop
    Log in as the test user again. The login should succeed.
    Don't forget to start the networking again to make sure you're able to run the cleanup

Clean-up after the test

Enable the allow_all rule again to avoid interference with other Test cases:

$ kinit admin
$ ipa hbacrule-enable allow_all