On 11/24/10 11:19 AM, "Dmitri Pal" <d...@redhat.com> wrote:

>It is well known that with IPA we want to try to move people from the
>netgroups to host groups but many companies currently use netgroups as
>hostgroups.  To simplify migration I suggest that we by default always
>create a managed  "nisnetgroup" entry that would map 1-1 to the host
>group using managed entry plugin. The logic would work the following way:
>1) When the host group is created the netgroup also will be created with
>the same name and memberHost attribute pointing to the DN of the newly
>created host group
>2) The deletion of the host group will automatically remove managed
>3) The rename of the host group (if allowed) should cause the managed
>group to be renamed too.
>In the UI/CLI we will filter out managed netgroups in all cases related
>to identity part of the server (list of netgroups, users members of the
>netgroup, hosts members of netgroup, ect.). The netgroups will be
>available only in the special cases like SUDO plugin.
>The work will consist of:
>1) Defining the managed entry plugin config for this case
>2) Adding this configuration to the installation sequence
>3) Updating netgroup searches to filter out managed entries
>4) Allow all netgroups in SUDO plugin (I think this is already the case).
>If this proposal looks reasonable I will open a ticket.
>JR will you be able to provide a patch that does all of this since this
>is not exactly what we originally planned?

This proposal looks reasonable.

I will be working this week to explore handling this in either the
'Managed Entries' or 'Plugin' Route to see which is the most appropriate.

Freeipa-devel mailing list

Reply via email to