[Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups?

Gelen James hahaha_30k at yahoo.com
Tue May 15 16:05:43 UTC 2012 

Hi Sumit, 


 Thanks for your quick reply.
 
 In the chapter http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/migrating-from-nis.html#nis-import-netgroups, The Netgroup migration script sets '--usercat' and '--hostcat' options to IPA netgroups through 'ipa netgroup-mod' command.

More specifically, when IPA imports host based netgroups with triples like (hostA,-,-), (hostB,-,-), The new IPA netgroups are set up with option '--usetcat=all'. Does that means if this IPA netgroup is used in a HBAC rule, then the rule will applied to all users on hostA and hostB. am I right? :)

BTW, do I have to turn on the '--usercat' option for NIS netgroup migration? The HBAC rules are defined inside hosts/hostgroups, and no NIS groups are involved, right? I maybe completely wrong here.

Thanks.

--Gelen







________________________________
 From: Sumit Bose <sbose at redhat.com>
To: freeipa-users at redhat.com 
Sent: Tuesday, May 15, 2012 1:48 AM
Subject: Re: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups?
 
On Mon, May 14, 2012 at 07:57:06PM -0700, David Copperfield wrote:
> Hi all,
> 
>  The online manual says that the '--usercat' means 'User category the rule applies to';  '--hostcat' has the similar explanation. But I still don't understand how that could be used in real life and when/where to use the options.
> 
>  Could anyone please shed a light on this? Thanks a lot.

iirc these options where introduced with the host based access control
(HBAC) and are used to identify categories/classes of users and hosts
in a more general way than using groups or ip-address ranges. I think
currently only the keyword 'all' can be used here, which e.g means that
an HBAC rule will match for all users or all hosts. In future it is
planned to support other categories, e.g. something like 'local' and
'remote' which would catch all users/hosts of the local IPA domain or
all users/groups which are coming from remote domains ,respectively.

HTH

bye,
Sumit

> 
> --David

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120515/a687814a/attachment.htm>

More information about the Freeipa-users mailing list