[Freeipa-devel] Some thoughts about login services
Rob Crittenden
rcritten at redhat.com
Fri Oct 15 17:07:43 UTC 2010
Dmitri Pal wrote:
> Hello,
>
> Currently HBAC login group is defined as:
> objectClasses: (2.16.840.1.113730.3.8.4.11 NAME 'ipaHBACServiceGroup'
> DESC 'IPA HBAC service group object class' SUP nestedGroup STRUCTURAL
> X-ORIGIN 'IPA v2' )
>
> Which means it can be nested.
>
> In the recent discussion about SUDO and groups of SUDO commands we
> settled down on the
> objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC 'IPA
> object class to store groups of SUDO commands' SUP groupOfNames MUST (
> ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' )
>
> Which we decided should not support nesting.
> Looking at the UI for the HBAC and complexity of the manipulation with
> the HBAC object and related hbac services and groups of those it
> occurred to me that one of the simplifications that we can have is
> disallowing nesting of the HBAC login groups. It is expected that there
> will be not many of those anyways. If we need it later we will change it
> to support nesting. However the nesting is already implemented in CLI
> and actually works. I tried and everything is documented and seems ok.
>
> But group nesting in UI is a bit of nightmare. It is unclear whether the
> nesting is actually a use case that we need to support here.
>
> Thoughts?
>
It seems like there aren't that many services available for HBAC,
probably less than a dozen, so nested groups is probably overkill here.
rob
More information about the Freeipa-devel
mailing list