On 10/01/2013 04:08 AM, Lukás( Bezdic(ka wrote: > We came to situation when we need to add parameter memberOf to > services, but there is no configuration in 389 for this nor UI in > freeipa. Is it possible to implement groups for services? > > Example of usecase: > We have web service infront of which we put apache with kerberos > authentication and ldap authorization. This service is used by both > users and services/scripts running on nodes. For this we setup service > keytabs per service as we want them unprivileged and we don't want > those services to touch host's principal. This works pretty well so > far but management of the ldap authorization > makes it pain in the ass :(
1) Please explain what this means. What kind of access control you are talking about? In your application? You are looking to have something like HBAC library but for services that can be reused by applications? 2) Please answer above and file an RFE 3) The RFE would most likely get into a pile and sit there for couple years as we have other things that seem more pressing so contributing the code for something like this would be a good option. We can help and guide. Are you interested? Thanks Dmitri > In ideal usecase we'd love to see groups which can contain services or > users or hosts. > > Thank you, > Lukas Bezdicka > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. x ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
