[Freeipa-devel] "Special" groups
Simo Sorce
ssorce at redhat.com
Fri Jul 4 18:05:48 UTC 2008
On Fri, 2008-07-04 at 06:30 -0700, Eric wrote:
> From your documentation: "editors" and "admins" are special groups. An
> example I have in mind would be to add a "private" group whose members
> would be invisible from other regular "ipausers" members.
All users are always visible as we allow anonymous read acces to the
tree (except for some attributes).
This is needed because of the way Linux/Unix system work, as they can
always enumerate all users.
To be able to conceal some user we would have to change how the single
machine look-up users. Not an easy task.
> - I'm wondering if that makes sense to implement such a new group as a
> way to offer specific features. I fear there could be quickly too many
> groups for the sole purpose of governing roles (isn't already the case
> with delegations that need to be implemented via groups?)
We are thinking if and how to implement roles in IPA, editors would need
to be really a role not a posix Group, but for v1 groups is all we have.
> - What would be the way you favor to implement a special group? By
> developing a Fedory Directory Server plugin?
if your aim is to conceal users that would not be enough. Normally
though I would experiment with ACIs first (or Roles, Virtual Groups,
Class of Service, etc...).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list