[Freeipa-devel] per-group password policy proposal
Rob Crittenden
rcritten at redhat.com
Thu Jun 11 13:10:49 UTC 2009
Sergei V. Kovylov wrote:
> Hello guys.
> I hope it's OK for devel if I share my point of view for this question.
Yeah, thanks for the feedback!
> I think that Dmitri is right. It's usual situation, when user may
> exists in several groups and decision of which group's policy must be
> applied is hard to define (it must be on end-user side not on
> developers one).
Well, I agree that cosPriority is a bit of a clumsy way to do this but I
do think that it is understandable to end-users, the higher number wins.
The hard part would being able to see all the policy groups and their
priorities.
> Moreover, password policy is just a top of iceberg,
> because there are lots of aspects which freeipa may cover, for example
> template for user creation (pre-defined home directories, access
> policy etc.). In this case usage of DS roles and CoS may provide
> flexible mechanism of manage. In part of password policy usage of
> filtered roles will do the same as per-group policy but without fixing
> them to special group and exclude some mechanism of group classes ( i
> mean password policy group, some other option group). In such case
> freeipa will provide policy mechanism which may be used not only for
> group but for some sub-entry, for some attribute in user account etc.
> With CoS we are able to define MAY or MUST one policy in nested group
> be replaced by parent one or not.
>
We have a flat DIT so subentry policies won't work for us (except as a
default).
I hadn't considered using DS roles, I'll take a look at that.
I hadn't really thought a lot about what these groups would look like
but in v2 we will support posix and non-posix groups. The password
policies would be applicable to either, so if you wanted some sort of
logical groupings you could use special non-posix groups.
I guess the question is really how many different password policies
would one organization have?
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090611/e12a27ae/attachment.bin>
More information about the Freeipa-devel
mailing list