From e97aa82fc0a95696804fd438d8ab92391b1d9f4c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Wed, 14 Oct 2020 14:44:45 +0200
Subject: [PATCH] IPA: Don't allow all users to log into all hosts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 roles/ipa/server/tasks/main.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml
index 6e7eb9da17..8a786a5bac 100644
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@@ -332,6 +332,16 @@
   changed_when: "'already exists' not in output.stdout"
   failed_when: "'already exists' not in output.stdout and output.rc != 0"
 
+# HBAC
+
+- name: Don't allow all users to log into all hosts
+  command: ipa hbacrule-disable allow_all
+  tags:
+  - ipa/server
+  - config
+  when: ipa_initial
+  register: output
+
 # Noggin user setup
 
 - name: Register the proper noggin admin password