<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 05/10/2011 04:38 PM, JR Aquino wrote:
<blockquote
cite="mid:0B1CC5CC-F36C-4EA7-B30D-472539E64D7E@citrixonline.com"
type="cite">
<pre wrap="">On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote:
</pre>
<blockquote type="cite">
<pre wrap="">JR Aquino wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify the auditing of users for their indirect membership to their authorization rights.
An Administrator should have the ability to quickly identify the rights a user will have in the system.
For example. With the patch added, my user show looks like this:
# ipa user-show tester --all
dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com
User login: tester
First name: Tester
Last name: Engineering
Full name: Tester Engineering
Display name: Tester Engineering
Initials: TE
Home directory: /home/tester
GECOS field: Tester Engineering
Login shell: /bin/sh
Kerberos principal: <a class="moz-txt-link-abbreviated" href="mailto:tester@EXAMPLE.COM">tester@EXAMPLE.COM</a>
UID: 1829800388
GID: 1829800388
Account disabled: False
Member of groups: ipausers, auto-dev-deploy-tools, build-integration
ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0
krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
memberofindirect_HBAC rule: development
memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, AUTO-dev-deploy-tools_ZENOSS, build-integration
mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount
<freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch>_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a>
</pre>
</blockquote>
<pre wrap="">
OPPS, forgot to have PATCH in the subject.
</pre>
</blockquote>
<pre wrap="">
I think you need this as well, right?
- 'memberof': ['group', 'netgroup', 'role'],
+ 'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'],
</pre>
</blockquote>
<pre wrap="">
Some scope change.
Added memberof and memberofindirect
Added to user.py host.py group.py hostgroup.py
When using the --all flag it is now very clear to the administrator what authorization rules these objects are directly or indirectly a memberof.
xmlrpc tests check out
Please review
</pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
<br>
The reason that this shows up in the UI is that it is generating
additional memberof attributes. It has nothing to do with the
memberofindirect:<br>
<br>
"attribute_members": {<br>
"memberof": [<br>
"group",<br>
"netgroup",<br>
"role",<br>
"hbacrule",<br>
"sudorule"<br>
],<br>
"memberofindirect": [<br>
"group",<br>
"netgroup",<br>
"role",<br>
"hbacrule",<br>
"sudorule"<br>
]<br>
},<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>