QA:Testcase freeipav2 hbac
- Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation)
- Make sure the CLI works as expected (see QA:Testcase_freeipav2_cli)
- This requires a separate client machine from the IPA server machine (see QA:Testcase_freeipav2_client_enrollment)
How to test
First create a user for the test:
# kinit admin # ipa user-add test1 --first=Testing --last=User --password
Log in as test1 to set the password:
# kinit test1
Try to log in on the client computer as test1. If login fails, something is probably wrong with your configuration.
Adding new HBAC rule
Become admin again:
- kinit admin
Add new testing user to IPA (option --password required again):
# ipa user-add test2 --first=Another --last=User --password
We now have two users, e.g. test1 and test2.
Create new hbac rule, type deny and add one of users (e.g. test1) to the rule. This also makes it apply to any service and any source host:
# ipa hbacrule-add testrule --type=deny --servicecat=all --srchostcat=all # ipa hbacrule-add-user testrule --users=test2
Add the client host to the rule:
# ipa hbacrule-add-host testrule --hosts=client.example.com
Try to log in as each user on the client machine - one should fail, one should work.
Try various modification to the rule:
- Adding a third user, grouping users to groups and then trying adding these groups to hbac.
- Multiple users assigned to the rule. Some useful tips:
# ipa group-add testgroup # ipa group-add-member testgroup --users=test1,test2
Delete the hbac rule and try logging in for each user - should work for all of them.
Inverse access policy
By default all access is allowed to all users to all machines and you have to deny specific users/groups access to all/specific machines. This test will change the approach.
Delete or disable the default hbac rule (all access granted to all users):
# ipa hbacrule-disable allow_all
Add new rule (all access denied to all users):
# ipa hbacrule-add deny_all --type=deny --usercat=all --hostcat=all --srchostcat=all --servicecat=all
Add a rule, which will allow one of testing users access to the client machine.
- Try various modification of the rule (multiple users, user groups, ...).
- Test every modification by trying to log in on client machine.
Services and service types
Find a service which uses PAM for authentication (e.g. ssh, can find other services) and configure it on the client.
Add the service to IPA:
# ipa help hbacsvc
Create rule which will deny user access the given service. Try that other access for that user works.
# ipa help hbacrule-add-service
All the test steps should end with the specified results.