[Freeipa-devel] What about desktop policies?
Loris Santamaria
loris at lgs.com.ve
Mon Feb 25 19:15:44 UTC 2013
Hi all,
some customers of ours are interested in managing desktop policies for
their linux workstations, really nothing fancy, corporate background and
proxy settings are the most common requests.
In the past I created Gnome desktop profiles using Sabayon, distributed
them using puppet and associated them to user accounts with a Sabayon
specific LDAP attribute, a process a bit convoluted, and no longer
possible since sabayon is no longer developed. Also it was really buggy,
and very gnome specific.
I was thinking in how integrate desktop policies in freeIPA in a general
manner and I wanted to share my ideas with you. Hopefully some of this
may be incorporated in IPA at some point in the future.
Properties of a "policy":
* is a collection of "settings"
* can be associated with users or groups (desktop policy) or with
hosts or hostgroups (system policy)
* is associated with a "consumer", the client software that
interprets and applies the policy. This way one could define
policies for dconf, policies for kde, policies for WBEM.
Properties of a "setting"
* is a key-value pair
* must conform to a "schema"
* may be mandatory
The schema:
* indicates which attributes a policy may consist of
* indicates which kind of value may take an attribute. Bool,
string, etc.
* There may be more than one schema for a given "consumer". For
example for dconf you may have an evolution schema, a
gnome-games schema, etc.
Sample policy creation process:
1. The admin creates a new schema in IPA, with a command like "ipa
schema-add --consumer=dconf gnomeSettingsSchema"
2. The admin adds some definition to the schema: "ipa
schema-add-setting gnomeSettingsSchema
--name=/schemas/desktop/gnome/background/picture_filename
--type=string --description='File to use for the background
image.'"
3. He creates a new policy: "ipa policy-add corporateBackground
--type=desktop --consumer=dconf
4. He adds a setting to the policy: "ipa policy-add-setting
corporateBackground
--name=/schemas/desktop/gnome/background/picture_filename
--value=file:///san/wp/wallpaper.jpg --mandatory". Ipa would
check that the key is defined in one of the dconf related
schemas and the value is acceptable for that key.
5. He associates the policy with users: "ipa-policy-add-user
corporateBackground --groups=ipausers"
How should the policy be applied? On the workstation, on startup, an ipa
related utility should check if there are any policies related to the
workstation, if there are any it should call a helper capable of
applying a specific type of policy. Then on user logon another ipa
related utility should check if there are any policies associated with
the user and call the appropriate helper, if available.
For the policy created in the above example, on logon the ipa policy
utility would find that there is a policy of type dconf associated with
the user. It would check if there is a dconf policy helper installed and
if positive it would call the helper passing it the parameters defined
in the policy.
Hope this is useful at least as a starting point in defining desktop
policies in IPA.
--
Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
Links Global Services, C.A. http://www.lgs.com.ve
Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6173 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130225/228eba21/attachment.bin>
More information about the Freeipa-devel
mailing list