https://bugzilla.redhat.com/show_bug.cgi?id=734706
Version-Release number of selected component (if applicable): ipa-server-2.1.0-1.20110823T0253zgit3a9f626.el6.x86_64 ipa-admintools-2.1.0-1.20110823T0253zgit3a9f626.el6.x86_64 ipa-python-2.1.0-1.20110823T0253zgit3a9f626.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Create a ipa user. 2. Create an hbacrule with ipausers group. [root@bumblebee ~]# ipa group-show ipausers Group name: ipausers Description: Default group for all users GID: 1798000001 Member users: user1, user2 [root@bumblebee ~]# ipa hbacrule-show ssh --all dn: ipauniqueid=af2c57e6-cfed-11e0-8fa4-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Rule name: ssh Source host category: all Enabled: TRUE Groups: admins, ipausers Hosts: ironhide.lab.eng.pnq.redhat.com Services: sshd accessruletype: allow ipauniqueid: af2c57e6-cfed-11e0-8fa4-525400deab7b objectclass: ipaassociation, ipahbacrule [root@bumblebee ~]# 3. Execute the ipa hbactest to evaluate and check the access for user1 is true or false 4. [root@bumblebee ~]# ipa hbactest --user=user1 --srchost=all --host=ironhide.lab.eng.pnq.redhat.com --service=sshd Actual results: [root@bumblebee ~]# ipa hbactest --user=user1 --srchost=all --host=ironhide.lab.eng.pnq.redhat.com --service=sshd Access granted: False --------------------- notmatched: rule1 notmatched: ssh Expected results: Should be "True", since user1 belongs to ipausers. Additional info:
hbactest should pull in user's groups when evaluating the request. Same should happen with host groups. Additionally hbactest should account for external hosts/users (not existing in IPA) as those are valid to test as well.
master: 1bdb5d0
ipa-2-1: 452863d
Metadata Update from @shanks: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 2.1.2 (bug fixing)
Login to comment on this ticket.