[Freeipa-devel] Policy and multiple back-end domains
Stephen Gallagher
sgallagh at redhat.com
Tue Mar 10 16:51:49 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dmitri and I just had a very interesting discussion on policies in the
SSSD. Since we support multiple domain back-ends, we need to consider
the implications of multiple policy providers. We don't want a client
machine that is connected to (for example) an IPA provider and a Samba
provider to be attempting to apply conflicting policies.
My suggestion is that we separate policy into two primary types: user
and machine.
User policy could be provided by any number of domains, as it would only
apply to those users the domain served. This would be policy such as
host-based access control, password complexity, etc.
Machine policy should be restricted to only one domain (the domain that
the SSSD client is enrolled with for machine identity) and would provide
policy for global machine configuration.
- --
Stephen Gallagher
RHCE 804006346421761
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkm2mqUACgkQeiVVYja6o6OenwCdEHNRmNJAHVfAo08nDFY3qZ9X
uosAoI0GRZxZMDukqcIPkEYSMmv6FQjq
=D5Vl
-----END PGP SIGNATURE-----
More information about the Freeipa-devel
mailing list