On 11/01/2011 01:04 PM, Rodney Mercer wrote:
On Tue, 2011-11-01 at 12:00 -0400, freeipa-users-requ...@redhat.com
On 10/31/2011 05:20 PM, Rodney Mercer wrote:
We have previously developed Solaris RBAC authorization within our
application to validate users and roles to our application's
commanding capability using the definitions that populate the name
service switch maps.
I have been searching for a method for implementing similar
using RHEL and had found promise with the following proposed
documentation for IPAv2:
We decided to back away from trying to provide central RBAC. Our
experience with multiple projects revealed that there is no one size
fits all solution regarding RBAC. But we were talking about geral Role
base access control model not specific RBAC as Solaris implemented it.
The Solaris RBAC is similar to sudo and HBAC combined together. Both
features are managed by IPA.
We also have SELinux policies on Linux that can constrain the root
access. The user SELinux roles management is on the roadmap but HBAC +
SUDO should give you the equivalent if not more functionality than
Or you can use RHEL6.2 beta and see the docs about SUDO and HBAC
The RBAC structure that I speak of is contained within our application.
Being able to have IPA clients request the XML blob of role mappings to
internal application commanding authorizations is what I was looking
Is it possible to create IPA Roles that mean nothing to IPA yet our
independent application could query and use them with it's internal
Yes it is possible. The role mechanism does not have to have any
permissions or privileges assigned to it, and they will show up as
"member of" relations in an LDAP query.
Could extending the dirsrv schema to include attributes to be accessed
for the security of the independent application be created to work in
conjunction with these custom defined roles?
Having the IPA Server available to all hosts that run the application is
what we desire. We use *_attr Name Service Switch maps to access these
roles and attributes from our Solaris implementation.
Unless I am mistaken, HBAC might give us options as to whom may run our
applications on particular hosts, but it would not help in defining who
could run the internal application directives that we seek to map to
Sudo doesn't help for the internal commanding our application desires to
Thanks for any ideas you can lend.
Freeipa-users mailing list