Description of problem: hbac-add-user --groups is successful and the membership is added to ldap, however executing the hbac-show command does not return the associated service groups. ldap object: # c698f682-1dd111b2-999dd799-3dad0000, hbac, testrelm dn: ipaUniqueID=c698f682-1dd111b2-999dd799-3dad0000,cn=hbac,dc=testrelm objectClass: ipaassociation objectClass: ipahbacrule accessRuleType: deny ipaEnabledFlag: TRUE cn: myrule ipaUniqueID: c698f682-1dd111b2-999dd799-3dad0000 memberService: cn=mysvcgroup,cn=hbacservicegroups,cn=accounts,dc=testrelm command result: [root@dhcp-100-2-213 ipa-hbac-cli]# ipa hbac-show myrule Rule name: myrule Rule type: deny Enabled: TRUE Version-Release number of selected component (if applicable): ipa-server-1.91-0.2010110118git813dfe5.fc12.i686 ipa-admintools-1.91-0.2010110118git813dfe5.fc12.i686 How reproducible: always Steps to Reproduce: 1. Add a group # ipa hbacsvcgroup-add --desc=mysvcgroup $mysvcgroup 2. Add an HBAC Rule # ipa hbac-add --type=deny myrule 3. Associate the service group with the rule # ipa hbac-add-service --hbacsvcgroups=mysvcgroup myrule 4. Verify the service group was associated with the show command # ipa hbac-show myrule Actual results: Rule name: myrule Rule type: deny Enabled: TRUE Expected results: Rule name: myrule Rule type: deny Enabled: TRUE Service groups: mysvcgroup Additional info:
(In reply to comment #0) > Description of problem: > > hbac-add-service --hbacsvcgroups is successful and the membership is added to ldap, > however executing the hbac-show command does not return the associated service > groups. > > ldap object: > > # c698f682-1dd111b2-999dd799-3dad0000, hbac, testrelm > dn: ipaUniqueID=c698f682-1dd111b2-999dd799-3dad0000,cn=hbac,dc=testrelm > objectClass: ipaassociation > objectClass: ipahbacrule > accessRuleType: deny > ipaEnabledFlag: TRUE > cn: myrule > ipaUniqueID: c698f682-1dd111b2-999dd799-3dad0000 > memberService: cn=mysvcgroup,cn=hbacservicegroups,cn=accounts,dc=testrelm > > command result: > > [root@dhcp-100-2-213 ipa-hbac-cli]# ipa hbac-show myrule > Rule name: myrule > Rule type: deny > Enabled: TRUE > > Version-Release number of selected component (if applicable): > ipa-server-1.91-0.2010110118git813dfe5.fc12.i686 > ipa-admintools-1.91-0.2010110118git813dfe5.fc12.i686 > > > How reproducible: > always > > Steps to Reproduce: > 1. Add a group > # ipa hbacsvcgroup-add --desc=mysvcgroup $mysvcgroup > 2. Add an HBAC Rule > # ipa hbac-add --type=deny myrule > 3. Associate the service group with the rule > # ipa hbac-add-service --hbacsvcgroups=mysvcgroup myrule > 4. Verify the service group was associated with the show command > # ipa hbac-show myrule > > > Actual results: > Rule name: myrule > Rule type: deny > Enabled: TRUE > > Expected results: > > Rule name: myrule > Rule type: deny > Enabled: TRUE > Service groups: mysvcgroup > > > > Additional info:
https://fedorahosted.org/freeipa/ticket/494
The patch has been pushed to git repo, will be available in the next version.