[Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
Dmitri Pal
dpal at redhat.com
Thu Jul 11 22:19:57 UTC 2013
On 07/11/2013 05:54 PM, KodaK wrote:
>
>
> On Thu, Jul 11, 2013 at 4:42 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> Well it is something like this that I had in mind. But you have
> beaten me...
> Great to see you found an acceptable solution.
>
>
> Acceptable is a strong word. Maybe "passable" or Microsoft-style "it
> works, ship it." :)
>
> Out of curiosity, what were your thoughts on a solution for us? Did
> it differ significantly
> from what I'm doing? (I'm always on the lookout for a better way.)
What you need is who can access a specific AIX machine, right?
You have several sets of AIX machines, say 5, each of which has an HBAC
rule that relates a group of users X to a group of AIX machine with the
same set of users.
If you have non overlapping host groups you can fetch users with one
LDAP search from the puppet master.
I am not good with ldap syntax but SQL natural for me so conceptually
the search would look like this:
SELECT group.member FROM group JOIN hbac on group-DN JOIN host group on
hostgroup-DN WHERE hostgroup.member contains host X.
I hope it conveys what I have in mind. The result of such search would
be a list of group members that have access to the host.
This is pretty close to what you have done except it covers nested
groups too and uses HBAC rules.
>
> Also, what's PWT mail?
Private. I made a typo. It should have been V :-)
> I assume some sort of encrypted or private mail, but I'm not
> familiar with the acronym.
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them. GPG Public key ID: B6A1A7C6
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130711/e31cdb92/attachment.htm>
More information about the Freeipa-users
mailing list