David O'Brien wrote:
This was a bit confusing, but I think I know what is happening... When you add a delegation in IPA, it first asks for a Name. My first reaction was "who is the delegate?" but discovered that it means "What are you going to call this delegation?" + Suggestion: Delegation Name:
I know you're in the process of creating a trac account, this can be your first bug :-)
Then, "People in Group" These are the people you're going to delegate certain tasks or abilities to. You don't delegate to a person, only a group. If you want to delegate to only one person, you have to create a group for that person. + Does it have to work this way? Could it not be "User or Group"?
Right now we only delegate to groups. If you want to delegate to a single person you'd have to create a new group, put that person in it, then delegate that. We're actually creating ACI's on the fly with this. From what I recall from when Kevin did this, adding support for user objects makes the parser exponentially more complex.
"For People in Group" I didn't realize straight off, but you can specify that the delegation only apply to specific groups. If you want to add a delegation that applies across everyone, you would have to create a group that contained everyone, right?
That is correct.
There's probably a good reason that it works the way it does, but that was my initial reaction when I used it. Comments/elaborations?
The current GUI has a slew of fields and check boxes. I have some ideas on how to make it easier to understand mostly by compressing things so you can more easily see that "oh, I'm saying let group A update attributes on group B and I'm going to call this thing a delegation."
I have a task for this but not sure when I'll get to it: https://hosted.fedoraproject.org/projects/freeipa/ticket/87
Description: S/MIME Cryptographic Signature