Hide Forgot
Description of problem: More explanation required on HBAC -allow_all . https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/hbac-rules.html It says: While access must be explicitly granted to users and hosts within the IdM domain, IdM servers are configured by default with an allow all access control rule which allows access for every host within the domain to every host within the domain. To create an IdM server without the default allow all rule, run ipa-server-install with the --no_hbac_allow option. This chapter needs to begin with an explanation that makes it clear that when setting up HBAC rules step one is to remove the default allow_all rule. And why you must do that. Because it creates problem to understand the functionality. http://www.freeipa.org/page/Howto/HBAC_and_allow_all The above link give clear information about HBAC,
The documentation team will take a thorough look at the whole chapter and review it. We will pay special attention to allow_all to make sure the chapter explains its usage clearly.
One note, removing the rule should not be a step 1 in existing environment. For new installations in early stages it is mostly OK. Removing would prevent all managed users to login to IPA clients. So the order should be: 1. define own HBAC rules 2. test them with HBAC test utility 3. disable allow_all HBAC rule
The updated chapter is now pending review.
The updated chapter has been reviewed and acked. The chapter now clearly states what steps are required to configure HBAC: 1. Create HBAC rules 2. Test the new HBAC rules 3. Disable the default allow_all HBAC rule
The update is now available on the Customer Portal.