[Freeipa-users] Permission not working as expected
Rob Crittenden
rcritten at redhat.com
Tue Aug 30 17:57:06 UTC 2016
Alexander Bokovoy wrote:
> On Tue, 30 Aug 2016, Rob Crittenden wrote:
>> Alexander Bokovoy wrote:
>>> On Tue, 30 Aug 2016, Deepak Dimri wrote:
>>>> Ok i got it now. Let me try this with role + privilege having three set
>>>> of permissions 1) memberOf hostgroup to manage the permissions to the
>>>> hosts 2) permission on cn=hostgroup to manage the hosts membership with
>>>> in the given group 3) permission for "member attribute" to allow
>>>> add/delation of hosts membership based on the "member attribute"
>>>> value.I need to go through the link you shared in the meanwhile a quick
>>>> question can i add a custom attribute something like AWS EC2 resource
>>>> tag as the member attribute of an host? i am just wondering what
>>>> all/else could be an member attribute other than AWS EC2 instance
>>>> name...
>>> Each ipaHost object has userClass attribute. The semantics are described
>>> in RFC 4524, section 2.25. We don't use it for anything ourselves, it
>>> has a DirectoryString type (UTF-8-encoded string).
>>
>> userClass is used for auto membership.
> You mean it can be used. At least I don't see pre-defined automember
> rules with userClass. We even tell in the 'ipa host-mod' about --class
> option:
> --class=STR Host category (semantics placed on this
> attribute are
> for local interpretation)
>
Perhaps but this attribute was added specifically for this use case,
http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
rob
More information about the Freeipa-users
mailing list