On 11/18/10 8:16 AM, "Nalin Dahyabhai" <na...@redhat.com> wrote: ><snipit> >> >> ToDo's: >> >> * Get sudo compat to translate usergroup/posix group's such that it can >> prepend a %groupname <- notice that it is not fully qualified dn. > >If memberUser can point to either a user or a group, and we read a >memberUser entry's "cn" attribute, we don't currently have a way to >avoid throwing the "cn" values from user entries into the mix. I >could've sworn we were using memberGroup and memberNetgroup for those >cases to avoid this, but it appears I was mistaken.
The IPA SudoRule Structure has largely been based off of what we are doing today with HBAC. HBAC does not distinguish between memberGroup or memberNetgroup... Its simply, memberHost and memberUser for both HBAC and IPASudoRules. Also, when HBAC or IPASudoRules add a member, there is no resulting 'memberOf' or (hbacMemberOf/sudoMemberOf) inserted into the usergroup, hostgroup, command group, etc... Whereas, if you add a host to a hostgroup, the host ends up with a pointer referring back to the hostgroup. I believe this was done to provide referential integrity. We will definitely need to modify the schema under the hood if it is necessary to make these shifts, but I am not sure if that sort of change will be effected by the way the backend treats these sorts of objects. > >> * Get sudo compat to translate the 'hostgroups' into whatever their >> respective nisnetgroups should be and refer to them as +nisnetgroupname >><- >> again, can't be fully qualified in the translation. > >That won't work -- a hostgroup isn't a netgroup, so the name of a >hostgroup won't mean anything to a client if we provide it there. >From the start of this project, we have faced this challenge, and need to have an answer for it. Sudo, does not support hostgroups, it only knows about nisnetgroups. As such, either we need the backend code to translate this information automatically for us. Or We need to go down the path of procedurally solving this issue. For example: * Create a user + usergroup * Create a command + commandgroup * Create a host + hostgroup * Create a nisNetgroup with the same name as the ipaHostgroup, and add the hostgroup into the nisNetgroup... * Allow translation to occur and point everything with 1-to-1 except for: -sudocmdgroups are unknown to sudo, so the individual commands need to be broken out and listed individually in the translation. -sudoHost will need to point to a (shared name) that represents both an ipaHostgroup and an ipaNisNetgroup. We have discussed this challenge at length, and everyone agrees that nisNetgroups are a thing of the past, that is best forgotten. However, it is necessary to support them in the interim because sudo currently does not support anything else. It is an ideal to strive toward getting sudo to support hostgroups, and also to support sssd, but we have a long way to go to get there. -JR _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
