[Freeipa-users] How to set a user group rule to allow su - oracle only?

Steven Jones Steven.Jones at vuw.ac.nz
Tue Jul 17 22:29:08 UTC 2012 

Hi,

Thanks...yes I dont care "how" as such.  Im trying to translate traditional linux/unix ways of doing things into IPA where possible...maybe that's where I'm communicating poorly and causing confusion, sorry about that.  

Its like english and french, I want the french but only have the english words to ask in.

:/

su - root can be local, thats OK as that is unique and exists locally.  But I need to do a lot of as kodak wants and have a group of users login as themselves and then get to an application "user".  Typically this would be say oracle...but I dont want the user oracle to be able to ssh in...so that can be IPA controlled, I know, which I'd rather do than putting a deny into sshd_config....as when you want to refresh a database you could have a HBAC for Oracle defined between 2 specific hosts for a set length of time say.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com]
Sent: Wednesday, 18 July 2012 10:17 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] How to set a user group rule to allow su - oracle only?

On 07/17/2012 02:06 PM, Steven Jones wrote:
> Can I get this clarified as I am getting really confused,
>
> Can I do this in/via IPA or not?
>
> Yes or no I think will suffice.
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> *From:* Arpit Tolani [arpittolani at gmail.com]
> *Sent:* Tuesday, 17 July 2012 11:13 p.m.
> *To:* Steven Jones
> *Cc:* Rob Crittenden; freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] How to set a user group rule to allow su
> - oracle only?

I think that is because you are talking about two separate things. You
want to control entry to root via su, this may or may not be
controllable with IPA, but probably not.

You want to control entry to the oracle user via sudo and restrict that
to a group of users, that is entirely possible within IPA.

-Erinn

More information about the Freeipa-users mailing list