On 10/01/2013 04:08 AM, Lukás( Bezdic(ka wrote:
> We came to situation when we need to add parameter memberOf to
> services, but there is no configuration in 389 for this nor UI in
> freeipa. Is it possible to implement groups for services?
> Example of usecase:
> We have web service infront of which we put apache with kerberos
> authentication and ldap authorization. This service is used by both
> users and services/scripts running on nodes. For this we setup service
> keytabs per service as we want them unprivileged and we don't want
> those services to touch host's principal. This works pretty well so
> far but management of the ldap authorization
> makes it pain in the ass :(

1) Please explain what this means. What kind of access control you are
talking about? In your application? You are looking to have something
like HBAC library but for services that can be reused by applications?
2) Please answer above and file an RFE
3) The RFE would most likely get into a pile and sit there for couple
years as we have other things that seem more pressing so contributing
the code for something like this would be a good option. We can help and
guide. Are you interested?


> In ideal usecase we'd love to see groups which can contain services or
> users or hosts.
> Thank you,
> Lukas Bezdicka
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to