Archy's Blog

Host Based Access Control (short hbac) is a good way to limit access to specific hosts from specific users / groups using specifig services. A small example can be seen at the end of my blogpost about spacewalk and freeipa as authentication source ( link ). Add a hbac-rule: [archy@ipa01 ~]$ ipa hbacrule-add nfs-access Add a user: [archy@ipa01 ~]$ ipa hbacrule-add-user --users=archy nfs-access Add a group: [archy@ipa01 ~]$ ipa hbacrule-add-user --groups=admins nfs-access Add a host: [archy@ipa01 ~]$ ipa hbacrule-add-host --hosts=stor01.archyslife.lan nfs-access Add a group of hosts [archy@ipa01 ~]$ ipa hbacrule-add-host --hostgroups=storage-servers nfs-access Add a service: [archy@ipa01 ~]$ ipa hbacrule-add-service --hbacsvcs=nfs nfs-access Add a servicegroup: [archy@ipa01 ~]$ ipa hbacrule-add-service --hbacsvcgroups=storage nfs-access Removing a hbac-rule: [archy@ipa01 ~]$ ipa hbacrule-del nfs-access Removing a user: [archy@ipa01 ~]$ ipa

This post is about setting up Spacewalk to integrate to FreeIPA'sauthentication (ldap/kerberos). First of all, why should you integrate Spacewalk to FreeIPA? FreeIPA gives you the option to control the access policies using keytabs and you can manage your users centrally.  So let's get started. I assume you have a functional Spacewalk and FreeIPA-Server set up and the Spacewalk-Server added as client to your domain. Log in to your FreeIPA-Server and add the http-keytab to your Spacewalk-Server: [archy@ipa01 ~]$ ipa service-add HTTP/spacewalk01.archyslife.lan Next run the script provided by the spacewalk-project / red hat to set up the spacewalk-services [archy@spacewalk ~]$ sudo spacewalk-setup-ipa-autchentication When that's finished, sign in to your IPA-Server again and add the H ost B ased A ccess C ontrol Service. I've named it 'spacewalk' [archy@ipa01 ~]$ ipa hbacsvcs-add spacewalk Next add a hbac-rule for allowing defined users t