[Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC

Rodney L. Mercer rmercer at harris.com
Fri Feb 15 14:17:20 UTC 2013 


On Thu, 2013-02-14 at 21:44 +0100, Sigbjorn Lie wrote:
> I agree with schema support being enough for now. I do not expect the
> ipa mgmt tools to support Solaris rbac mgmt.
> 
> The ipa mgmt tools are great, but I already have other data in the ipa
> ldap that I have to manage manually anyway.
> 
> 
> 
> Rgds,
> Siggi
> 
> 
> 
> Rob Crittenden <rcritten at redhat.com> wrote:
>         Dag Wieers wrote:
>                 On Thu, 14 Feb 2013, Rob Crittenden wrote:
>                 
>                         Sigbjorn Lie wrote:
>                                 On 02/13/2013 04:10 PM, Rob Crittenden wrote:
>                                 
>                                                 Also since we also require compatibility with Solaris, and roles
>                                                 (RBAC)
>                                                 is currently used on Solaris, does IPA support RBAC on Solar
>                                                  is ?
>                                 (We
>                                                 noticed that RBAC mentioned in the IPA web interface only
>                                 relates to > >  IPA
>                                                 management).
>                                                 No, IPA doesn't support RBAC on Solaris.
>                                         
>                                 I've come across the same issue. This is just a matter of extending the
>                                 schema.
>                                 
>                                 Would there be any interest for adding the Solaris RBAC schema as a
>                                 part
>                                 of the standard IPA distributed LDAP schemas?


Consider the following: What else would have to be put in to support
this?
Once the schema is established, can SSSD be extended to use this and
potentially be referenced in nsswitch.conf as it is implemented on
Solaris? IE: 
tail -5 /etc/nsswitch.conf
user_attr:  sssd
auth_attr:  sssd
prof_attr:  sssd
exec_attr:  sssd
project:    sssd



>                         

>                         Is the schema enough? Won't 
>                          people
>                         want a way from IPA to manage the
>                         data too?

>                 Of course, integration in IPA is better, but having the schema
>                 integrated is a good first step. Besides, integration in IPA probably
>                 won't happen without RBAC support in Fedora/RHEL, right ?
>         
>         
>         Right, and it is a bit beyond our scope to create a compatible RBAC 
>         solution.
>         
>         rob
> 
> -- 
> Sent from my Android phone with K-9 Mail. Please excuse my brevity. 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list