[Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups?

Dmitri Pal dpal at redhat.com
Thu May 24 17:21:54 UTC 2012 

On 05/16/2012 06:20 AM, Sumit Bose wrote:
> On Tue, May 15, 2012 at 09:05:43AM -0700, Gelen James wrote:
>> Hi Sumit, 
>>
>>
>>  Thanks for your quick reply.
>>  
>>  In the chapter http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/migrating-from-nis.html#nis-import-netgroups, The Netgroup migration script sets '--usercat' and '--hostcat' options to IPA netgroups through 'ipa netgroup-mod' command.
>>
>> More specifically, when IPA imports host based netgroups with triples like (hostA,-,-), (hostB,-,-), The new IPA netgroups are set up with option '--usetcat=all'. Does that means if this IPA netgroup is used in a HBAC rule, then the rule will applied to all users on hostA and hostB. am I right? :)
> yes, this is my understanding, too.
>
>> BTW, do I have to turn on the '--usercat' option for NIS netgroup migration? The HBAC rules are defined inside hosts/hostgroups, and no NIS groups are involved, right? I maybe completely wrong here.
> yes, HBAC rules use hosts/hostgroups and not netgroups. In general
> netgroups were added to support application which still needs them or to
> make migrations from environments where netgroups were used easier. But
> we recommend to use hostgroups with IPA if possible.
>
> HTH
>
> bye,
> Sumit
>
>> Thanks.
>>
>> --Gelen
>>
>>
>>
>>
>>
>>
>>
>> ________________________________
>>  From: Sumit Bose <sbose at redhat.com>
>> To: freeipa-users at redhat.com 
>> Sent: Tuesday, May 15, 2012 1:48 AM
>> Subject: Re: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups?
>>  
>> On Mon, May 14, 2012 at 07:57:06PM -0700, David Copperfield wrote:
>>> Hi all,
>>>
>>>  The online manual says that the '--usercat' means 'User category the rule applies to';  '--hostcat' has the similar explanation. But I still don't understand how that could be used in real life and when/where to use the options.
>>>
>>>  Could anyone please shed a light on this? Thanks a lot.
>> iirc these options where introduced with the host based access control
>> (HBAC) and are used to identify categories/classes of users and hosts
>> in a more general way than using groups or ip-address ranges. I think
>> currently only the keyword 'all' can be used here, which e.g means that
>> an HBAC rule will match for all users or all hosts. In future it is
>> planned to support other categories, e.g. something like 'local' and
>> 'remote' which would catch all users/hosts of the local IPA domain or
>> all users/groups which are coming from remote domains ,respectively.
>>
>> HTH
>>
>> bye,
>> Sumit
>>


Finally got time to read and reply.
The IPA introduced and object class called Association. It allows
many-to-many relationship between users and hosts.
Uses can be expressed as list of users, list of groups, or category of
users. We currently  support only one category "all".
Same is with hosts.
Several different objects in IPA derive from the association object.
HBAC and netgroups are among those.
This is why the notion of the category is in both cases. But it also
makes sense. There was no other way for HBAC and netgroups to express
"all". We made an architectural decision that absence of something
should not be treated as "all" but rather denote "none". So if nothing
is defined in the HBAC rule to express users such rule should be treated
as not applying to any user and effectively be ignored as
incomplete/broken rule. If it is not the case it is probably a bug.

 

>>> --David
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list