It is well known that with IPA we want to try to move people from the
netgroups to host groups but many companies currently use netgroups as
hostgroups.  To simplify migration I suggest that we by default always
create a managed  "nisnetgroup" entry that would map 1-1 to the host
group using managed entry plugin. The logic would work the following way:

1) When the host group is created the netgroup also will be created with
the same name and memberHost attribute pointing to the DN of the newly
created host group
2) The deletion of the host group will automatically remove managed netgroup
3) The rename of the host group (if allowed) should cause the managed
group to be renamed too.

In the UI/CLI we will filter out managed netgroups in all cases related
to identity part of the server (list of netgroups, users members of the
netgroup, hosts members of netgroup, ect.). The netgroups will be
available only in the special cases like SUDO plugin.

The work will consist of:
1) Defining the managed entry plugin config for this case
2) Adding this configuration to the installation sequence
3) Updating netgroup searches to filter out managed entries
4) Allow all netgroups in SUDO plugin (I think this is already the case).

If this proposal looks reasonable I will open a ticket.
JR will you be able to provide a patch that does all of this since this
is not exactly what we originally planned?

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-devel mailing list

Reply via email to