[Freeipa-devel] Sudoers schema
JR Aquino
JR.Aquino at citrixonline.com
Tue Aug 3 22:35:38 UTC 2010
~ipaSudoComand~
I'd like to know what the group thinks about the possibility of using ipaSudoComand as a DN to an object containing sudoCommand attributes, rather than just being a static attribute itself.
I believe this is already being done/suggested in a similar manor with memberUser and memberHost.
We found here at Citrix Online that the Role's tend to reuse all 3 elements pretty heavily: userGroups, hostGroups, and commandGroups.
For PCI-DSS reasons, it tends to make it a lot easier to say:
"These groups of users have login rights to these groups of hosts, and are permitted to sudo these groups of commands."
Rather then having to search for individual attribute entries in the role objects themselves.
~hostMask~
I feel inclined to agree with Dmitri regarding a deferral on the hostMask attribute for resource sake. I tend to see the data center design to stick closer to hostname utilization, rather than subnets... I.E. people tend to put a mixed bag of servers in the same subnet, but they tend to make sure that like servers have similar hostnames or sane hostnames that can have a floating IP address in the case of clusering, or high-availability, etc, etc. That is just my observation. Feel free to correct me if I am grossly out of spec for the rest of the industry.
~Using memberUser as slight of hand over netgroups~
It's my understanding that the sudo source does a "getent netgroup" style of lookup to search ldap for the netgroup... if that is correct, it may indeed be necessary to utilize the compat function to share the hostgroups with sudo...
The overall goal, again, being to eliminate duplication of info: prod-servers hostgroup == prod-servers netgroup... vs prod-servers hostgroup contains the same manually duplicated servers as prod-servers netgroup...
~users by uid and gid~
If by uid/gid he means numerical representation, then I say, I wouldn't worry about it. Fully spelled out alpha Username / Group entries seem sane.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino, GCIH | Information Security Specialist
Citrix Online | 6500 Hollister Avenue | Goleta, CA 93117
More information about the Freeipa-devel
mailing list