[Freeipa-users] Permission not working as expected
Alexander Bokovoy
abokovoy at redhat.com
Tue Aug 30 18:08:56 UTC 2016
On Tue, 30 Aug 2016, Rob Crittenden wrote:
>Alexander Bokovoy wrote:
>>On Tue, 30 Aug 2016, Rob Crittenden wrote:
>>>Alexander Bokovoy wrote:
>>>>On Tue, 30 Aug 2016, Deepak Dimri wrote:
>>>>>Ok i got it now. Let me try this with role + privilege having three set
>>>>>of permissions 1) memberOf hostgroup to manage the permissions to the
>>>>>hosts 2) permission on cn=hostgroup to manage the hosts membership with
>>>>>in the given group 3) permission for "member attribute" to allow
>>>>>add/delation of hosts membership based on the "member attribute"
>>>>>value.I need to go through the link you shared in the meanwhile a quick
>>>>>question can i add a custom attribute something like AWS EC2 resource
>>>>>tag as the member attribute of an host? i am just wondering what
>>>>>all/else could be an member attribute other than AWS EC2 instance
>>>>>name...
>>>>Each ipaHost object has userClass attribute. The semantics are described
>>>>in RFC 4524, section 2.25. We don't use it for anything ourselves, it
>>>>has a DirectoryString type (UTF-8-encoded string).
>>>
>>>userClass is used for auto membership.
>>You mean it can be used. At least I don't see pre-defined automember
>>rules with userClass. We even tell in the 'ipa host-mod' about --class
>>option:
>> --class=STR Host category (semantics placed on this
>>attribute are
>> for local interpretation)
>>
>
>Perhaps but this attribute was added specifically for this use case,
>http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
Sure, it still means semantics are locally interpreted by whoever does
the deployment. I doubt anything in Deepak's setup relies on userClass
yet.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list