On Mar 5, 2013, at 9:15 AM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Артур Файзуллин wrote:
>> What rule must be present for replica to work? :) (in order to remove
>> allow-all rule)
>> I mean may be there is somewhere a guide to write rules for strict
>> allows?
> During the installation we check that communication works between the two 
> servers, so ssh is needed between masters 
> (https://fedorahosted.org/freeipa/ticket/3298). You should be able to use 
> --skip-conncheck to avoid this.
> I don't think we have any suggestions for rules, just documentation on how to 
> write them in general.

However, you could probably make a class of users - admins, for example - that 
can SSH to the KDC's.  Who else would be making new replica's? You need the 
master passwords IIRC.

I would really love to have the ability to easily give certain classes of users 
SSH, and potentially only on certain servers.  

That, plus the ability to change and set your password without ever logging 
into a system will allow us to really use IPA effectively.    (We have users 
that don't use linux, and are in IPA only for LDAP & Kerberos auth against web 


Matthew Barr
Technical Architect
E: mb...@snap-interactive.com
AIM: matthewbarr1
c:  (646) 727-0535

Freeipa-users mailing list

Reply via email to