From Fedora Project Wiki


HBAC testing.


  1. Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation)
  2. Make sure the CLI works as expected (see QA:Testcase_freeipav2_cli)
  3. This requires a separate client machine from the IPA server machine (see QA:Testcase_freeipav2_client_enrollment)

How to test

First create a user for the test:

# kinit admin
# ipa user-add test1 --first=Testing --last=User --password

Log in as test1 to set the password:

# kinit test1

Initial testing

Try to log in on the client computer as test1. If login fails, something is probably wrong with your configuration.

Adding new HBAC rule

Become admin again:

  1. kinit admin

Add new testing user to IPA (option --password required again):

# ipa user-add test2 --first=Another --last=User --password

We now have two users, e.g. test1 and test2.

Create new hbac rule, type deny and add one of users (e.g. test1) to the rule. This also makes it apply to any service and any source host:

# ipa hbacrule-add testrule --type=deny --servicecat=all --srchostcat=all
# ipa hbacrule-add-user testrule --users=test2

Add the client host to the rule:

# ipa hbacrule-add-host testrule

Try to log in as each user on the client machine - one should fail, one should work.

Try various modification to the rule:

  • Adding a third user, grouping users to groups and then trying adding these groups to hbac.
  • Multiple users assigned to the rule. Some useful tips:
# ipa group-add testgroup
# ipa group-add-member testgroup --users=test1,test2

Delete the hbac rule and try logging in for each user - should work for all of them.

Inverse access policy

By default all access is allowed to all users to all machines and you have to deny specific users/groups access to all/specific machines. This test will change the approach.

Delete or disable the default hbac rule (all access granted to all users):

# ipa hbacrule-disable allow_all

Add new rule (all access denied to all users):

# ipa hbacrule-add deny_all --type=deny --usercat=all --hostcat=all --srchostcat=all --servicecat=all

Add a rule, which will allow one of testing users access to the client machine.

  • Try various modification of the rule (multiple users, user groups, ...).
  • Test every modification by trying to log in on client machine.

Services and service types

Find a service which uses PAM for authentication (e.g. ssh, can find other services) and configure it on the client.

Add the service to IPA:

# ipa help hbacsvc

Create rule which will deny user access the given service. Try that other access for that user works.

# ipa help hbacrule-add-service

Expected Results

All the test steps should end with the specified results.