#3416 [RFE] Add admins group, ipa masters hostgroup, ssh HBAC rule
Closed: Fixed None Opened 8 years ago by rcritten.

We want users in the admins group to always be able to log into the IPA masters.

We should create a new hostgroup that contains all of the IPA masters in it. This hostgroup would be created on new installs and updated at the same time that cn=masters is updated (so via replication changes and when new masters are added).

A new HBAC rule for the ssh service will be added that allows users in the admins group to machines in the IPA masters hostgroup.

We will not prevent additional hosts to be added to the hostgroup.

A task will be needed to handle upgrades so that any missing IPA masters can be added.

We need to add a read permission for all masters so renewal scripts can work. With this hostgroup it would be straightforward. Moving to Needs triage.

As per jcholast's assessment, this is not strictly needed for 4.0 - moving to 4.1.

Jan, at least ipa masters hostgroup will be needed, right? For Topology plugin and proper remote DNA support (#4026).

Not required for replica promotion (#2888). As such, it is not required for 4.2, it may be postponed until it is required again.


  • a8d7ce5 aci: add IPA servers host group 'ipaservers'
  • 7b9a973 aci: replace per-server ACIs with ipaserver-based ACIs


  • 8f36a5b replica install: add ipaservers if it does not exist

admins user group and ipaservers host group exist now(4.3). Therefore moving this ticket to 4.3 as fixed.

For the hbac rule part, if anybody wants it, please open a new RFE ticket.

Metadata Update from @rcritten:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.3

4 years ago

Login to comment on this ticket.