It occurred to me that we can have a compromise. We can have two ways
and let the admins to decide which model to follow.
So the schema will look like this:
The sudo rule entry will have a string attribute to put a command
verbatim as it is designed now and an attribute that contains a DN of a
group of the commands (or points to commands individually).
It seems though that instead of having separate objects for a command
with just one attribute (the command itself) and then have an group of
commands object with pointer to individual commands we can have just a
command group object with a multi value attribute for commands entered
This way we probably even do not need to have two attributes as I
Sorry for designing on the fly.
So options are:
1) Leave as designed - does not provide a good role management (Nack)
2) Revert to original - too complex and limiting (Nack)
3) Have a hybrid of 1) & 2) represented by two attributes
4) Make the rule reference an object named command group. The command
group object will have a mv attribute with the commands
IMO the last one is the simple compromise that addresses both concerns.
Freeipa-devel mailing list