From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Saturday, February 16, 2013 6:29 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and 
Solaris RBAC

On 02/15/2013 10:31 PM, Dmitri Pal wrote:
> On 02/15/2013 09:17 AM, Rodney L. Mercer wrote:
>> On Thu, 2013-02-14 at 21:44 +0100, Sigbjorn Lie wrote:
>>> I agree with schema support being enough for now. I do not expect the
>>> ipa mgmt tools to support Solaris rbac mgmt.
>>> The ipa mgmt tools are great, but I already have other data in the ipa
>>> ldap that I have to manage manually anyway.
>>> Rgds,
>>> Siggi
>>> Rob Crittenden <rcrit...@redhat.com> wrote:
>>>          Dag Wieers wrote:
>>>                  On Thu, 14 Feb 2013, Rob Crittenden wrote:
>>>                          Sigbjorn Lie wrote:
>>>                                  On 02/13/2013 04:10 PM, Rob Crittenden 
>>> wrote:
>>>                                                  Also since we also require 
>>> compatibility with Solaris, and roles
>>>                                                  (RBAC)
>>>                                                  is currently used on 
>>> Solaris, does IPA support RBAC on Solar
>>>                                                   is ?
>>>                                  (We
>>>                                                  noticed that RBAC 
>>> mentioned in the IPA web interface only
>>>                                  relates to > >  IPA
>>>                                                  management).
>>>                                                  No, IPA doesn't support 
>>> RBAC on Solaris.
>>>                                  I've come across the same issue. This is 
>>> just a matter of extending the
>>>                                  schema.
>>>                                  Would there be any interest for adding the 
>>> Solaris RBAC schema as a
>>>                                  part
>>>                                  of the standard IPA distributed LDAP 
>>> schema?
>> Consider the following: What else would have to be put in to support
>> this?
>> Once the schema is established, can SSSD be extended to use this and
>> potentially be referenced in nsswitch.conf as it is implemented on
>> Solaris? IE:
>> tail -5 /etc/nsswitch.conf
>> user_attr:  sssd
>> auth_attr:  sssd
>> prof_attr:  sssd
>> exec_attr:  sssd
>> project:    sssd
> Before we define how it is passed/exposed it would nice to understand
> who on Linux will be consuming it out of SSSD?

I don't think Linux would consume these attributes. They are specific to
the Role Based Access Control solution implemented in Solaris.



Yes, I understand that Linux has no mechanism currently built in to consume 
these Solaris name server switch attributes. But, If the Solaris RBAC schema is 
included as
part of the standard IPA distributed LDAP schema, My question is how hard would 
it be to create an extension using SSSD/pam to do so?

I agree that it is too much to ask for a full Solaris style RBAC implementation 
on RHEL. 

We have an application that currently uses the Solaris RBAC structure to 
authorize user/role accesses within the application.

Our goal is to use existing OS calls or possibly extending SSSD to allow system 
calls that would give  us back an answer to attrbutes placed within the LDAP
tree that  are composed in like fashion as how they are stored in  Solaris. 
Defining the schema seemed to be well received and I understand that it is 
intended that it would be there to support Solaris clients.
If SSSD could be extended to access these attributes and possibly pam modules 
to allow Linux clients to take advantage of this RBAC schema, then our 
application could perform as it does on Solaris. It would also
open up the opportunity for other vendors to consider moving their Solaris RBAC 
applications to RHEL. 

I think with that as a goal, we could then create users and SELinux roles that 
are defined within the RBAC based schema much like our current Solaris 
We use Solaris nsswitch calls to get  yes/no authorization answers for 
user/role privilege within our application.

Since IdM and SSD already support 
c) SELinux user mapping

I believe HBAC as already implemented in IdM will be an additional asset in 
defining and restricting access that can be used by our customers.
We have decided to move away from sudo, but may reconsider some of its uses if 
it suits the situation. 
Maybe SSSD can be extended to access the RBAC schema in much the same way that 
it accesses SUDO or HBAC schema?

We have decided to use RHEL as the primary OS platform of choice going forward 
and we need to create a solution to our application RBAC
needs similar to that in which we have accomplished with Solaris. I have been 
speaking with Dmitri on the side about these possibilities and would like to 
what each of your thoughts are. The feasibility of accomplishing this is a bit 
over my head but is certainly our goal.
I believe our management is committed to creating such a solution by involving 
our software engineers. Helping with adding the Solaris RBAC schema and 
contributing the GUI to manage the RBAC Schema data would be a goal.

Also, since this is not the SSSD development list, I would like to know the 
list info for SSSD development and see what their thoughts are.

Dmitri to answer your questions directly to me:
Certainly we can discuss additional security components such as centrally 
managed SSH keys and host fingerprints. We don't need any interaction within 
our application to include AD, 
but our customers may want to take advantage of that at some point.

Freeipa-users mailing list

Reply via email to