[Freeipa-devel] Some thoughts about login services
Dmitri Pal
dpal at redhat.com
Fri Oct 15 15:36:50 UTC 2010
Hello,
Currently HBAC login group is defined as:
objectClasses: (2.16.840.1.113730.3.8.4.11 NAME 'ipaHBACServiceGroup'
DESC 'IPA HBAC service group object class' SUP nestedGroup STRUCTURAL
X-ORIGIN 'IPA v2' )
Which means it can be nested.
In the recent discussion about SUDO and groups of SUDO commands we
settled down on the
objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC 'IPA
object class to store groups of SUDO commands' SUP groupOfNames MUST (
ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' )
Which we decided should not support nesting.
Looking at the UI for the HBAC and complexity of the manipulation with
the HBAC object and related hbac services and groups of those it
occurred to me that one of the simplifications that we can have is
disallowing nesting of the HBAC login groups. It is expected that there
will be not many of those anyways. If we need it later we will change it
to support nesting. However the nesting is already implemented in CLI
and actually works. I tried and everything is documented and seems ok.
But group nesting in UI is a bit of nightmare. It is unclear whether the
nesting is actually a use case that we need to support here.
Thoughts?
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list