This test case checks that a system enrolled in a FreeIPA domain honors the domain controller's host-based access control (HBAC) rules.
- Deploy a correctly-configured FreeIPA domain controller. You can follow:
- Enrol a test system in the domain. There are various ways to do this. You will find several test cases you can follow in the Server release validation test cases, FreeIPA test cases, and Realmd test cases
- The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser")
- Make sure you have freeipa-admintools installed
# yum install freeipa-admintools
- Create a FreeIPA user (after acquiring admin credentials)
$ kinit admin
$ ipa user-add testuser --first test --last user --password
- Create an HBAC rule that allows access to the user you just created
$ ipa hbacrule-add testrule --servicecat=all --hostcat=all
$ ipa hbacrule-add-user testrule --users=testuser
- Disable the default rule that allows access to everyone
$ ipa hbacrule-disable allow_all
- On the system that joined the domain, change the testuser password for the first time.
$ kinit testuser@IPA.EXAMPLE.ORG
- You will be prompted to enter a new password here
How to test
- On the system that joined the domain, switch to another VT (press
- Try to log in as the admin user.
host login: email@example.com
- Now try to log in as test user.
host login: firstname.lastname@example.org
- Log in as the admin user must fail, and log in as the test user must succeed.
More testing - offline logins
- Before the test, make sure that credential caching is enabled on the client
/etc/sssd/sssd.confin your editor of choice
- Make sure that
cache_credentials=Trueis present in the
[domain]section of sssd.conf
- Restart the SSSD if you modified the config file:
service sssd restart
- Perform one more login online to cache the credentials
- Disconnect the client from the network. As root, shut down the NM service:
# service NetworkManager stop
- Log in as the test user again. The login should succeed.
- Don't forget to start the networking again to make sure you're able to run the cleanup
Clean-up after the test
Enable the allow_all rule again to avoid interference with other tests:
$ kinit admin $ ipa hbacrule-enable allow_all