I'd like to know what the group thinks about the possibility of using 
ipaSudoComand as a DN to an object containing sudoCommand attributes, rather 
than just being a static attribute itself.

I believe this is already being done/suggested in a similar manor with 
memberUser and memberHost.

We found here at Citrix Online that the Role's tend to reuse all 3 elements 
pretty heavily: userGroups, hostGroups, and commandGroups.

For PCI-DSS reasons, it tends to make it a lot easier to say:

"These groups of users have login rights to these  groups of hosts, and are 
permitted to sudo these groups of commands."

Rather then having to search for individual attribute entries in the role 
objects themselves.


I feel inclined to agree with Dmitri regarding a deferral on the hostMask 
attribute for resource sake.  I tend to see the data center design to stick 
closer to hostname utilization, rather than subnets... I.E. people tend to put 
a mixed bag of servers in the same subnet, but they tend to make sure that like 
servers have similar hostnames or sane hostnames that can have a floating IP 
address in the case of clusering, or high-availability, etc, etc.  That is just 
my observation. Feel free to correct me if I am grossly out of spec for the 
rest of the industry.

~Using memberUser as slight of hand over netgroups~

It's my understanding that the sudo source does a "getent netgroup" style of 
lookup to search ldap for the netgroup... if that is correct, it may indeed be 
necessary to utilize the compat function to share the hostgroups with sudo...

The overall goal, again, being to eliminate duplication of info: prod-servers 
hostgroup == prod-servers netgroup... vs prod-servers hostgroup contains the 
same manually duplicated servers as prod-servers netgroup...

~users by uid and gid~

If by uid/gid he means numerical representation, then I say, I wouldn't worry 
about it.  Fully spelled out alpha Username / Group entries seem sane.

Jr Aquino, GCIH | Information Security Specialist
Citrix Online | 6500 Hollister Avenue | Goleta, CA 93117

Freeipa-devel mailing list

Reply via email to