[Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC

Dmitri Pal dpal at redhat.com
Fri Feb 15 21:31:40 UTC 2013 

On 02/15/2013 09:17 AM, Rodney L. Mercer wrote:
>
> On Thu, 2013-02-14 at 21:44 +0100, Sigbjorn Lie wrote:
>> I agree with schema support being enough for now. I do not expect the
>> ipa mgmt tools to support Solaris rbac mgmt.
>>
>> The ipa mgmt tools are great, but I already have other data in the ipa
>> ldap that I have to manage manually anyway.
>>
>>
>>
>> Rgds,
>> Siggi
>>
>>
>>
>> Rob Crittenden <rcritten at redhat.com> wrote:
>>         Dag Wieers wrote:
>>                 On Thu, 14 Feb 2013, Rob Crittenden wrote:
>>                 
>>                         Sigbjorn Lie wrote:
>>                                 On 02/13/2013 04:10 PM, Rob Crittenden wrote:
>>                                 
>>                                                 Also since we also require compatibility with Solaris, and roles
>>                                                 (RBAC)
>>                                                 is currently used on Solaris, does IPA support RBAC on Solar
>>                                                  is ?
>>                                 (We
>>                                                 noticed that RBAC mentioned in the IPA web interface only
>>                                 relates to > >  IPA
>>                                                 management).
>>                                                 No, IPA doesn't support RBAC on Solaris.
>>                                         
>>                                 I've come across the same issue. This is just a matter of extending the
>>                                 schema.
>>                                 
>>                                 Would there be any interest for adding the Solaris RBAC schema as a
>>                                 part
>>                                 of the standard IPA distributed LDAP schemas?
>
> Consider the following: What else would have to be put in to support
> this?
> Once the schema is established, can SSSD be extended to use this and
> potentially be referenced in nsswitch.conf as it is implemented on
> Solaris? IE: 
> tail -5 /etc/nsswitch.conf
> user_attr:  sssd
> auth_attr:  sssd
> prof_attr:  sssd
> exec_attr:  sssd
> project:    sssd

Before we define how it is passed/exposed it would nice to understand
who on Linux will be consuming it out of SSSD?


>
>
>
>>                         
>>                         Is the schema enough? Won't 
>>                          people
>>                         want a way from IPA to manage the
>>                         data too?
>>                 Of course, integration in IPA is better, but having the schema
>>                 integrated is a good first step. Besides, integration in IPA probably
>>                 won't happen without RBAC support in Fedora/RHEL, right ?
>>         
>>         
>>         Right, and it is a bit beyond our scope to create a compatible RBAC 
>>         solution.
>>         
>>         rob
>>
>> -- 
>> Sent from my Android phone with K-9 Mail. Please excuse my brevity. 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list