<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 07/11/2013 05:54 PM, KodaK wrote:
<blockquote
cite="mid:CAA9J0ZF2MJubkRawsP8f0ZYiMhYbxUy0a0C=rxCitBr+CLXAvw@mail.gmail.com"
type="cite"><br>
<br>
<div class="gmail_quote">On Thu, Jul 11, 2013 at 4:42 PM, Dmitri
Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im">Well it is something like this that I had in
mind. But you have beaten me...</div>
Great to see you found an acceptable solution.<br>
</div>
</blockquote>
<div><br>
</div>
<div>Acceptable is a strong word. Maybe "passable" or
Microsoft-style "it works, ship it." :)</div>
<div><br>
</div>
<div>Out of curiosity, what were your thoughts on a solution for
us? Did it differ significantly</div>
<div>from what I'm doing? (I'm always on the lookout for a
better way.)</div>
</div>
</blockquote>
<br>
What you need is who can access a specific AIX machine, right?<br>
You have several sets of AIX machines, say 5, each of which has an
HBAC rule that relates a group of users X to a group of AIX machine
with the same set of users.<br>
If you have non overlapping host groups you can fetch users with one
LDAP search from the puppet master.<br>
<br>
I am not good with ldap syntax but SQL natural for me so
conceptually the search would look like this:<br>
<br>
SELECT group.member FROM group JOIN hbac on group-DN JOIN host group
on hostgroup-DN WHERE hostgroup.member contains host X.<br>
<br>
I hope it conveys what I have in mind. The result of such search
would be a list of group members that have access to the host. <br>
This is pretty close to what you have done except it covers nested
groups too and uses HBAC rules.<br>
<br>
<blockquote
cite="mid:CAA9J0ZF2MJubkRawsP8f0ZYiMhYbxUy0a0C=rxCitBr+CLXAvw@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<div><br>
</div>
<div>Also, what's PWT mail? <br>
</div>
</div>
</blockquote>
<br>
Private. I made a typo. It should have been V :-) <br>
<br>
<blockquote
cite="mid:CAA9J0ZF2MJubkRawsP8f0ZYiMhYbxUy0a0C=rxCitBr+CLXAvw@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<div>I assume some sort of encrypted or private mail, but I'm
not</div>
<div>familiar with the acronym.</div>
<div><br>
</div>
</div>
-- <br>
The government is going to read our mail anyway, might as well
make it tough for them. GPG Public key ID: B6A1A7C6
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>