I'd like to know what the group thinks about the possibility of using
ipaSudoComand as a DN to an object containing sudoCommand attributes, rather
than just being a static attribute itself.
I believe this is already being done/suggested in a similar manor with
memberUser and memberHost.
We found here at Citrix Online that the Role's tend to reuse all 3 elements
pretty heavily: userGroups, hostGroups, and commandGroups.
For PCI-DSS reasons, it tends to make it a lot easier to say:
"These groups of users have login rights to these groups of hosts, and are
permitted to sudo these groups of commands."
Rather then having to search for individual attribute entries in the role
I feel inclined to agree with Dmitri regarding a deferral on the hostMask
attribute for resource sake. I tend to see the data center design to stick
closer to hostname utilization, rather than subnets... I.E. people tend to put
a mixed bag of servers in the same subnet, but they tend to make sure that like
servers have similar hostnames or sane hostnames that can have a floating IP
address in the case of clusering, or high-availability, etc, etc. That is just
my observation. Feel free to correct me if I am grossly out of spec for the
rest of the industry.
~Using memberUser as slight of hand over netgroups~
It's my understanding that the sudo source does a "getent netgroup" style of
lookup to search ldap for the netgroup... if that is correct, it may indeed be
necessary to utilize the compat function to share the hostgroups with sudo...
The overall goal, again, being to eliminate duplication of info: prod-servers
hostgroup == prod-servers netgroup... vs prod-servers hostgroup contains the
same manually duplicated servers as prod-servers netgroup...
~users by uid and gid~
If by uid/gid he means numerical representation, then I say, I wouldn't worry
about it. Fully spelled out alpha Username / Group entries seem sane.
Jr Aquino, GCIH | Information Security Specialist
Citrix Online | 6500 Hollister Avenue | Goleta, CA 93117
Freeipa-devel mailing list