13.2.2. Configuring Host-Based Authentication Control
HBAC rules define which machine within the domain a Red Hat Identity Management user is allowed to access. You can configure HBAC on the Red Hat Identity Management server to prevent selected users from accessing the Satellite Server. With this approach, you can prevent Satellite from creating database entries for users that are not allowed to log in. For more information on HBAC, see Configuring Host-Based Access Control in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy guide.
On the Red Hat Identity Management server, configure Host-Based Authentication Control (HBAC).
Procedure
On the Red Hat Identity Management server, to authenticate, enter the following command and enter your password when prompted:
# kinit admin
To verify that you have authenticated, enter the following command:
# klist
Create HBAC service and rule on the Red Hat Identity Management server and link them together. The following examples use the PAM service name satellite-prod. Execute the following commands on the Red Hat Identity Management server:
# ipa hbacsvc-add satellite-prod # ipa hbacrule-add allow_satellite_prod # ipa hbacrule-add-service allow_satellite_prod --hbacsvcs=satellite-prod
Add the user who is to have access to the service satellite-prod, and the hostname of the Satellite Server:
# ipa hbacrule-add-user allow_satellite_prod --user=username # ipa hbacrule-add-host allow_satellite_prod --hosts=satellite.example.com
Alternatively, host groups and user groups can be added to the allowsatellite_prod_ rule.
To check the status of the rule, execute:
# ipa hbacrule-find satellite-prod # ipa hbactest --user=username --host=satellite.example.com --service=satellite-prod
- Ensure the allow_all rule is disabled on the Red Hat Identity Management server. For instructions on how to do so without disrupting other services see the How to configure HBAC rules in IdM article on the Red Hat Customer Portal.
Configure the Red Hat Identity Management integration with the Satellite Server as described in 「Configuring Red Hat Identity Management Authentication on Satellite Server」. On the Satellite Server, define the PAM service as root:
# satellite-installer --foreman-pam-service=satellite-prod