[Freeipa-users] hostMask attribute syntax issue in 60sudo.ldif
Dmitri Pal
dpal at redhat.com
Fri Sep 24 19:53:30 UTC 2010
Brian LaMere wrote:
> On Fri, Sep 24, 2010 at 10:43 AM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> Brian LaMere wrote:
> > ah, odd - I'm used to IPs being IA5. then the equality match should
> > be changed? Can't have caseIgnoreIA5Match on a directory string :)
> Yes. This is what the patch does :-)
>
>
> so, out of curiousity...why 60sudo? Seems like a string matching
> netmask could be used more generically...it's redefined over as
> radiusFramedIPNetmask in 60radius.ldif. I go through and purge my
> tree of attributes I'll never need, sorry - I have strange quirks.
See some discussion of the subject here:
http://www.freeipa.org/page/SUDO_Schema_Design#Proposed_Schema under
sudoHost. I tried to find something suitable but could not. I did not
look at RADIUS though.
Reusing core, well known attributes is a good practice since they are
common. Relying on RADIUS schema to be present might be not. Yes we plan
to support RADIUS in future but this work is deferred. The hope is that
other DS servers will see the value in the new schema and start
supporting it in future. In this case having it independent from RADIUS
schema will be the right approach.
Also i am considering that this attribute can be used to denote a host
name with a wildcard. I am not saying we agoing to support it but at
least I thought about that too. Those minor factors added up to a
decision to define a new attribute rather than reuse some existing but
not 100% suitable one.
Thanks
Dmitri
Regarding the rest- I do not know and hope somebody else will be able to
answer.
>
> Also, I've noted that when I stop services, then start them again per
> the order in /etc/rc3.d, named doesn't know about the local domain yet
> because it connects to an empty socket (since the krb and dirsrv
> services aren't started yet)
>
> trying to establish LDAP connection to
> ldapi://%2fvar%2frun%2fslapd-BRIAN-INTERNAL.socket
>
> which fails at:
>
> Principal not found in cred cache (Matching credential not found)
>
> Once everything is up, if I run "rndc reload" the local domain lookups
> (and thus, everything else) works again. Should one of the other
> services incorporate a rndc reload, for this reason? I didn't
> actually restart the server (can't, due to something else it is doing)
> I just stopped things per rc3.d/k* order, and then started them per s*
> order.
>
> Brian
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list