Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 34. Using Ansible to configure HBAC and sudo rules in IdM

Using host-based access control (HBAC) in Identity Management (IdM), you can define policies that restrict access to hosts or services based on the following:

  • The user attempting to log in and this user’s groups
  • The host that a user is trying to access and the host groups to which that host belongs
  • The service that is being used to access a host

Using sudo, a user can run programs as another user, with different privileges, for example root privileges. In IdM, you can manage sudo rules centrally. You can define sudo rules based on user groups, host groups and command groups, as well as individual users, hosts and commands.

Complete this procedure to ensure the presence of the following HBAC and sudo rules for IdM users:

  • jane can only access host client01.idm.example.com.
  • john can only access host client02.idm.example.com.
  • Members of the admins group, which includes the default admin user as well as the regular alice user, can access any IdM host.

  • Members of the admins group can run sudo with the following commands on any IdM host:

    • /usr/sbin/reboot
    • /usr/bin/less
    • /usr/sbin/setenforce

The following diagram represents the desired configuration described above:

Figure 34.1. IdM HBAC and SUDO rules diagram

An image of IdM users and hosts showing different types of host access and sudo privileges for different users
NOTE
The procedure illustrates the use of an action group that simplifies the use of modules with module_defaults, which is only available in the freeipa.ansible_freeipa collection, not the ansible-freeipa rpm. You can set default values to be applied to all modules of the collection used in a playbook by using the action_group named freeipa.ansible_freeipa.modules. In the example, the IdM administrator password is defined in this way. The ansible-freeipa-collection is part of the rhel-9-for-x86_64-appstream-rpms repository in RHEL 9.5 and later.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.14 or later.
    • You are using RHEL version 9.5 or later.
    • You have installed the ansible-freeipa-collection subpackage.
    • You have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server in the ~/MyPlaybooks/ directory.
    • You have stored your ipaadmin_password in the secret.yml Ansible vault.
  • The users jane, john and alice exist in IdM. Passwords are configured for these accounts.

Procedure

  1. Create your Ansible playbook file add-hbac-and-sudo-rules-to-idm.yml with the following content:

    Copy to Clipboard Toggle word wrap 
    ---
- name: Playbook to manage IPA HBAC and SUDO rules
  hosts: ipaserver
  become: false
  gather_facts: false
  collections: freeipa.ansible_freeipa

  vars_files:
  - /home/<user_name>/MyPlaybooks/secret.yml

  module_defaults:
    group/freeipa.ansible_freeipa.modules:
      ipaadmin_password: "{{ ipaadmin_password }}"

  tasks:
  - name: HBAC Rule for Jane - can log in to client01
    ipahbacrule: # Creates the rule
      name: Jane_rule
      hbacsvc:
      - sshd
      - login
      host: # Host name
      - client01.idm.example.com
      user:
      - jane

  - name: HBAC Rule for John - can log in to client02
    ipahbacrule: # Creates the rule
      name: john_rule
      hbacsvc:
      - sshd
      - login
      host: # Host name
      - client02.idm.example.com
      user:
      - john

  - name: Add user member alice to group admins
    ipagroup:
      name: admins
      action: member
      user:
      - alice

  - name: HBAC Rule for IdM administrators
    ipahbacrule: # Rule to allow admins full access
      name: admin_access # Rule name
      servicecat: all # All services
      hostcat: all # All hosts
      group: # User group
      - admins

    - name: Add reboot command to SUDO
      ipasudocmd:
        name: /usr/sbin/reboot
        state: present
    - name: Add less command to SUDO
      ipasudocmd:
        name: /usr/bin/less
        state: present
    - name: Add setenforce command to SUDO
      ipasudocmd:
        name: /usr/sbin/setenforce
        state: present

  - name: Create a SUDO command group
    ipasudocmdgroup:
      name: cmd_grp_1
      description: "Group of important commands"
      sudocmd:
      - /usr/sbin/setenforce
      - /usr/bin/less
      - /usr/sbin/reboot
      action: sudocmdgroup
      state: present

  - name: Create a SUDO rule with a SUDO command group
    ipasudorule:
      name: sudo_rule_1
      allow_sudocmdgroup:
      - cmd_grp_1
      group: admins
      state: present

  - name: Disable allow_all HBAC Rule
    ipahbacrule: # Rule to allow admins full access
      name: allow_all # Rule name
      state: disabled # Disables rule to allow everyone the ability to login

  2. Run the playbook:

    Copy to Clipboard Toggle word wrap 
    $ ansible-playbook --vault-password-file=password_file -i inventory add-hbac-and-sudo-rules-to-idm.yml

Verification

  1. Connect to client01 as the jane user:

    Copy to Clipboard Toggle word wrap 
    ~]$ ssh jane@client01
Password:

Last login: Fri Aug 11 15:32:18 2023 from 192.168.122.1
[jane@client01 ~]$

    The output verifies that jane has logged in to client01.

  2. Try to connect to client02 as the jane user:

    Copy to Clipboard Toggle word wrap 
    ~]$ ssh jane@client02
Password:
Connection closed by 192.168.122.47 port 22

    The output verifies that jane cannot log in to client02.

  3. Connect to client02 as the alice user:

    Copy to Clipboard Toggle word wrap 
    ~]$ ssh alice@client02
Password:

Last login: Fri Aug 10 16:13:43 2023 from 192.168.122.1

    The output verifies that alice has logged in to client02.

  4. Try to view the contents of the /etc/sssd/sssd.conf file using less without invoking the superuser privileges:

    Copy to Clipboard Toggle word wrap 
    [alice@client02 ~]$ less /etc/sssd/sssd.conf
/etc/sssd/sssd.conf: Permission denied

    The attempt fails as the file is not readable by anyone except the owner of the file, which is root.

  5. Invoke the root privileges to view the contents of the /etc/sssd/sssd.conf file using less:

    Copy to Clipboard Toggle word wrap 
    [alice@client02 ~]$ sudo less /etc/sssd/sssd.conf
[sudo] password for alice:

[domain/idm.example.com]

id_provider = ipa
ipa_server_mode = True
[...]

    The output verifies that alice can execute the less command on the /etc/sssd/sssd.conf file.

Additional resources

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.