Ce contenu n'est pas disponible dans la langue sélectionnée.

3.7. Managing Login Permissions for Domain Users


By default, domain-side access control is applied, which means that login policies for domain users are defined in the domain itself. This default behavior can be overridden so that client-side access control is used. With client-side access control, login permission are defined by local policies only.
If a domain applies client-side access control, you can use the realmd system to configure basic allow or deny access rules for users from that domain. Note that these access rules either allow or deny access to all services on the system. More specific access rules must be set on a specific system resource or in the domain.
To set the access rules, use the following two commands:
realm deny
The realm deny command simply denies access to all users within the domain. Use this command with the --all option.
realm permit
The realm permit command can be used to:
  • grant access to all users by using the --all option, for example:
    $ realm permit --all
  • grant access to specified users, for example:
    $ realm permit user@example.com
    $ realm permit 'AD.EXAMPLE.COM\user'
    
  • deny access to specified users by using the -x option, for example:
    $ realm permit -x 'AD.EXAMPLE.COM\user'
Note that allowing access currently only works for users in primary domains, not for users in trusted domains. This is because while user logins must contain the domain name, SSSD currently cannot provide realmd with information about available child domains.

Important

It is safer to only allow access to specifically selected users or groups than to deny access to some, while enabling it to everyone else. Therefore, it is not recommended to allow access to all by default while only denying it to specified users with realm permit -x. Instead, Red Hat recommends to maintain a default no access policy for all users and only grant access to selected users using realm permit.
For more information about the realm deny and realm permit commands, see the realm(8) man page.
Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.