Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/2231 Simulating a user access status on an IPA server with more than 100 hbacrules (where the allow rule does not fall in the first 100) the result is displayed as "Access granted: False". We should provide a "--sizelimit" option like we have to "ipa hbacrule-find" which would fetch all the rules specified in the --sizelimit and display the correct status.
Fixed upstream: Pushed to ipa-2-2: 7eaf1dc594294688daeba31a87781d299e45f038 Pushed to master: 1e04e9f02978592d861895bd14e8b3a2ee2c7100
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
1. for i in {1000..1010}; do ipa hbacrule-add $i; done 2. ipa config-mod --searchrecordslimit=5 3. ipa hbacrule-disable allow_all 4. ipa hbacrule-add 782927 5. [root@primenova ~]# ipa hbacrule-show 782927 --all dn: ipauniqueid=ff7775d4-aa15-11e1-9fdd-52540063d50e,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Rule name: 782927 Enabled: TRUE Users: shanks Hosts: primenova.lab.eng.pnq.redhat.com Source Hosts: rodimus.lab.eng.pnq.redhat.com Services: sshd accessruletype: allow ipauniqueid: ff7775d4-aa15-11e1-9fdd-52540063d50e objectclass: ipaassociation, ipahbacrule [root@primenova ~]# #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# [root@primenova ~]# ipa hbactest --user=shanks --srchost=rodimus.lab.eng.pnq.redhat.com --host=primenova.lab.eng.pnq.redhat.com --service=sshd --------------------- Access granted: False --------------------- Warning: Sourcehost value of rule "1000" is ignored Warning: Sourcehost value of rule "1001" is ignored Warning: Sourcehost value of rule "1002" is ignored Warning: Sourcehost value of rule "1003" is ignored Not matched rules: 1000 Not matched rules: 1001 Not matched rules: 1002 Not matched rules: 1003 [root@primenova ~]# #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# [root@primenova ~]# ipa hbactest --user=shanks --srchost=rodimus.lab.eng.pnq.redhat.com --host=primenova.lab.eng.pnq.redhat.com --service=sshd --sizelimit=15 -------------------- Access granted: True -------------------- Warning: Sourcehost value of rule "1000" is ignored Warning: Sourcehost value of rule "1001" is ignored Warning: Sourcehost value of rule "1002" is ignored Warning: Sourcehost value of rule "1003" is ignored Warning: Sourcehost value of rule "1004" is ignored Warning: Sourcehost value of rule "1005" is ignored Warning: Sourcehost value of rule "1006" is ignored Warning: Sourcehost value of rule "1007" is ignored Warning: Sourcehost value of rule "1008" is ignored Warning: Sourcehost value of rule "1009" is ignored Warning: Sourcehost value of rule "1010" is ignored Warning: Sourcehost value of rule "782927" is ignored Matched rules: 782927 Not matched rules: 1000 Not matched rules: 1001 Not matched rules: 1002 Not matched rules: 1003 Not matched rules: 1004 Not matched rules: 1005 Not matched rules: 1006 Not matched rules: 1007 Not matched rules: 1008 Not matched rules: 1009 Not matched rules: 1010 [root@primenova ~]# #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# [root@primenova ~]# ipa hbactest --user=shanks --srchost=rodimus.lab.eng.pnq.redhat.com --host=primenova.lab.eng.pnq.redhat.com --service=sshd --rule=782927 -------------------- Access granted: True -------------------- Warning: Sourcehost value of rule "782927" is ignored Matched rules: 782927 [root@primenova ~]# #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# Verified: ipa-server-2.2.0-16.el6.x86_64
automated {{{ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-hbacsvc-782927: Test --sizelimit option to hbactest :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Running 'ipa config-mod --searchrecordslimit=5' :: [ PASS ] :: Running 'ipa config-show' :: [ LOG ] :: ################## No Limit :: use global setting ############## :: [ PASS ] :: 5 hbac rules returned as expected with global size limit of 5 :: [ LOG ] :: ################# Set size limit to 7 ######################### :: [ PASS ] :: 7 hbac rules returned as expected with size limit of 7 :: [ PASS ] :: Running 'ipa config-mod --searchrecordslimit=100' :: [ PASS ] :: Running 'ipa config-show' :: [ LOG ] :: Duration: 1m 0s :: [ LOG ] :: Assertions: 7 good, 0 bad :: [ PASS ] :: RESULT: ipa-hbacsvc-782927: Test --sizelimit option to hbactest }}}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html