Hi,

Thanks...yes I dont care "how" as such.  Im trying to translate traditional 
linux/unix ways of doing things into IPA where possible...maybe that's where 
I'm communicating poorly and causing confusion, sorry about that.  

Its like english and french, I want the french but only have the english words 
to ask in.

:/

su - root can be local, thats OK as that is unique and exists locally.  But I 
need to do a lot of as kodak wants and have a group of users login as 
themselves and then get to an application "user".  Typically this would be say 
oracle...but I dont want the user oracle to be able to ssh in...so that can be 
IPA controlled, I know, which I'd rather do than putting a deny into 
sshd_config....as when you want to refresh a database you could have a HBAC for 
Oracle defined between 2 specific hosts for a set length of time say.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Erinn Looney-Triggs [erinn.looneytri...@gmail.com]
Sent: Wednesday, 18 July 2012 10:17 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How to set a user group rule to allow su - oracle 
only?

On 07/17/2012 02:06 PM, Steven Jones wrote:
> Can I get this clarified as I am getting really confused,
>
> Can I do this in/via IPA or not?
>
> Yes or no I think will suffice.
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> *From:* Arpit Tolani [arpittol...@gmail.com]
> *Sent:* Tuesday, 17 July 2012 11:13 p.m.
> *To:* Steven Jones
> *Cc:* Rob Crittenden; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] How to set a user group rule to allow su
> - oracle only?

I think that is because you are talking about two separate things. You
want to control entry to root via su, this may or may not be
controllable with IPA, but probably not.

You want to control entry to the oracle user via sudo and restrict that
to a group of users, that is entirely possible within IPA.

-Erinn






_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to