<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    On 05/10/2011 11:07 PM, Adam Young wrote:
    <blockquote cite="mid:4DC9FD7F.1090505@redhat.com" type="cite">
      <meta content="text/html; charset=ISO-8859-1"
        http-equiv="Content-Type">
      On 05/10/2011 04:38 PM, JR Aquino wrote:
      <blockquote
        cite="mid:0B1CC5CC-F36C-4EA7-B30D-472539E64D7E@citrixonline.com"
        type="cite">
        <pre wrap="">On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote:

</pre>
        <blockquote type="cite">
          <pre wrap="">JR Aquino wrote:
</pre>
          <blockquote type="cite">
            <pre wrap="">On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:

</pre>
            <blockquote type="cite">
              <pre wrap="">Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights.

An Administrator should have the ability to quickly identify the rights a user will have in the system.

For example. With the patch added, my user show looks like this:

# ipa user-show tester --all
 dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com
 User login: tester
 First name: Tester
 Last name: Engineering
 Full name: Tester Engineering
 Display name: Tester Engineering
 Initials: TE
 Home directory: /home/tester
 GECOS field: Tester Engineering
 Login shell: /bin/sh
 Kerberos principal: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:tester@EXAMPLE.COM">tester@EXAMPLE.COM</a>
 UID: 1829800388
 GID: 1829800388
 Account disabled: False
 Member of groups: ipausers, auto-dev-deploy-tools, build-integration
 ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0
 krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
 memberofindirect_HBAC rule: development
 memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration
 mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com
 objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount

<freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch>_______________________________________________
Freeipa-devel mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a>
</pre>
            </blockquote>
            <pre wrap="">
OPPS, forgot to have PATCH in the subject.

</pre>
          </blockquote>
          <pre wrap="">I think you need this as well, right?

-        'memberof': ['group', 'netgroup', 'role'],
+        'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'],
</pre>
        </blockquote>
        <pre wrap="">Some scope change.

Added memberof and memberofindirect

Added to user.py host.py group.py hostgroup.py

When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof.

xmlrpc tests check out

Please review

</pre>
        <pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-devel mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
      </blockquote>
      <br>
      <br>
      The reason that this shows up in the UI is that it is generating
      additional memberof attributes.  It has nothing to do with the
      memberofindirect:<br>
    </blockquote>
    <br>
    You are also going to want need modify the sudo rule and HBAC rule
    to use the serial associator on some facets.  It looks like group at
    least has things backwards.  The group.js file I think needs a rule
    like this:<br>
    <br>
    <br>
     association_facet({<br>
                name: 'memberof_sudorule',<br>
                associator: IPA.serial_associator<br>
            }).<br>
    <br>
    THis is because the API is for adding multiple groups to the sudo
    rule, but the default behaviour is for adding multiple >other
    entity> to <this entity>.<br>
    <br>
    <blockquote cite="mid:4DC9FD7F.1090505@redhat.com" type="cite"> <br>
       "attribute_members": {<br>
                                  "memberof": [<br>
                                      "group",<br>
                                      "netgroup",<br>
                                      "role",<br>
                                      "hbacrule",<br>
                                      "sudorule"<br>
                                  ],<br>
                                  "memberofindirect": [<br>
                                      "group",<br>
                                      "netgroup",<br>
                                      "role",<br>
                                      "hbacrule",<br>
                                      "sudorule"<br>
                                  ]<br>
                              },<br>
      <br>
      <br>
      <br>
      <br>
      <br>
      <br>
      <br>
      <pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
    </blockquote>
    <br>
  </body>
</html>