[Freeipa-users] Permission not working as expected
Rob Crittenden
rcritten at redhat.com
Tue Aug 30 18:46:48 UTC 2016
Alexander Bokovoy wrote:
> On Tue, 30 Aug 2016, Rob Crittenden wrote:
>> Alexander Bokovoy wrote:
>>> On Tue, 30 Aug 2016, Rob Crittenden wrote:
>>>> Alexander Bokovoy wrote:
>>>>> On Tue, 30 Aug 2016, Deepak Dimri wrote:
>>>>>> Ok i got it now. Let me try this with role + privilege having
>>>>>> three set
>>>>>> of permissions 1) memberOf hostgroup to manage the permissions to the
>>>>>> hosts 2) permission on cn=hostgroup to manage the hosts membership
>>>>>> with
>>>>>> in the given group 3) permission for "member attribute" to allow
>>>>>> add/delation of hosts membership based on the "member attribute"
>>>>>> value.I need to go through the link you shared in the meanwhile a
>>>>>> quick
>>>>>> question can i add a custom attribute something like AWS EC2 resource
>>>>>> tag as the member attribute of an host? i am just wondering what
>>>>>> all/else could be an member attribute other than AWS EC2 instance
>>>>>> name...
>>>>> Each ipaHost object has userClass attribute. The semantics are
>>>>> described
>>>>> in RFC 4524, section 2.25. We don't use it for anything ourselves, it
>>>>> has a DirectoryString type (UTF-8-encoded string).
>>>>
>>>> userClass is used for auto membership.
>>> You mean it can be used. At least I don't see pre-defined automember
>>> rules with userClass. We even tell in the 'ipa host-mod' about --class
>>> option:
>>> --class=STR Host category (semantics placed on this
>>> attribute are
>>> for local interpretation)
>>>
>>
>> Perhaps but this attribute was added specifically for this use case,
>> http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
> Sure, it still means semantics are locally interpreted by whoever does
> the deployment. I doubt anything in Deepak's setup relies on userClass
> yet.
Yet being the operative word. Overload it if you want but you might come
to regret it.
rob
More information about the Freeipa-users
mailing list