On 05/10/2011 04:38 PM, JR Aquino wrote:
On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote:

JR Aquino wrote:
On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:

Add HBAC Rule and Sudo Rule to users as indirect member attributes to simplify 
the auditing of users for their indirect membership to their authorization 
rights.

An Administrator should have the ability to quickly identify the rights a user 
will have in the system.

For example. With the patch added, my user show looks like this:

# ipa user-show tester --all
  dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com
  User login: tester
  First name: Tester
  Last name: Engineering
  Full name: Tester Engineering
  Display name: Tester Engineering
  Initials: TE
  Home directory: /home/tester
  GECOS field: Tester Engineering
  Login shell: /bin/sh
  Kerberos principal: tes...@example.com
  UID: 1829800388
  GID: 1829800388
  Account disabled: False
  Member of groups: ipausers, auto-dev-deploy-tools, build-integration
  ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0
  krbpwdpolicyreference: 
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
  memberofindirect_HBAC rule: development
  memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, 
AUTO-dev-deploy-tools_ZENOSS, build-integration
  mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com
  objectclass: top, person, organizationalperson, inetorgperson, inetuser, 
posixaccount

<freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch>_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

OPPS, forgot to have PATCH in the subject.

I think you need this as well, right?

-        'memberof': ['group', 'netgroup', 'role'],
+        'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'],
Some scope change.

Added memberof and memberofindirect

Added to user.py host.py group.py hostgroup.py

When using the --all flag it is now very clear to the administrator what 
authorization rules these objects are directly or indirectly a memberof.

xmlrpc tests check out

Please review



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


The reason that this shows up in the UI is that it is generating additional memberof attributes. It has nothing to do with the memberofindirect:

 "attribute_members": {
                            "memberof": [
                                "group",
                                "netgroup",
                                "role",
                                "hbacrule",
                                "sudorule"
                            ],
                            "memberofindirect": [
                                "group",
                                "netgroup",
                                "role",
                                "hbacrule",
                                "sudorule"
                            ]
                        },







_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to