[Freeipa-devel] Some thoughts about login services
Simo Sorce
ssorce at redhat.com
Fri Oct 15 16:03:02 UTC 2010
On Fri, 15 Oct 2010 11:36:50 -0400
Dmitri Pal <dpal at redhat.com> wrote:
> Hello,
>
> Currently HBAC login group is defined as:
> objectClasses: (2.16.840.1.113730.3.8.4.11 NAME 'ipaHBACServiceGroup'
> DESC 'IPA HBAC service group object class' SUP nestedGroup STRUCTURAL
> X-ORIGIN 'IPA v2' )
>
> Which means it can be nested.
>
> In the recent discussion about SUDO and groups of SUDO commands we
> settled down on the
> objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC
> 'IPA object class to store groups of SUDO commands' SUP groupOfNames
> MUST ( ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' )
>
> Which we decided should not support nesting.
> Looking at the UI for the HBAC and complexity of the manipulation with
> the HBAC object and related hbac services and groups of those it
> occurred to me that one of the simplifications that we can have is
> disallowing nesting of the HBAC login groups. It is expected that
> there will be not many of those anyways. If we need it later we will
> change it to support nesting. However the nesting is already
> implemented in CLI and actually works. I tried and everything is
> documented and seems ok.
>
> But group nesting in UI is a bit of nightmare. It is unclear whether
> the nesting is actually a use case that we need to support here.
>
> Thoughts?
Unless there is a good reason to prevent nesting then I don't think
it makes sense to undo what has already been done.
If complexity is perceived as problematic than what we can do is
provide guidelines on how/when it is or not appropriate to use nesting.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list