[Freeipa-users] Permission not working as expected
Alexander Bokovoy
abokovoy at redhat.com
Tue Aug 30 17:53:40 UTC 2016
On Tue, 30 Aug 2016, Rob Crittenden wrote:
>Alexander Bokovoy wrote:
>>On Tue, 30 Aug 2016, Deepak Dimri wrote:
>>>Ok i got it now. Let me try this with role + privilege having three set
>>>of permissions 1) memberOf hostgroup to manage the permissions to the
>>>hosts 2) permission on cn=hostgroup to manage the hosts membership with
>>>in the given group 3) permission for "member attribute" to allow
>>>add/delation of hosts membership based on the "member attribute"
>>>value.I need to go through the link you shared in the meanwhile a quick
>>>question can i add a custom attribute something like AWS EC2 resource
>>>tag as the member attribute of an host? i am just wondering what
>>>all/else could be an member attribute other than AWS EC2 instance
>>>name...
>>Each ipaHost object has userClass attribute. The semantics are described
>>in RFC 4524, section 2.25. We don't use it for anything ourselves, it
>>has a DirectoryString type (UTF-8-encoded string).
>
>userClass is used for auto membership.
You mean it can be used. At least I don't see pre-defined automember
rules with userClass. We even tell in the 'ipa host-mod' about --class
option:
--class=STR Host category (semantics placed on this attribute are
for local interpretation)
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list