On Fri, Feb 14, 2014 at 09:36:33AM +0200, Alexander Bokovoy wrote: > On Thu, 13 Feb 2014, Steve Dainard wrote: > >I don't think this is an issue of bugs or documentation, more of design. > >Perhaps there's someplace other than a users list this belongs in but: > > > >If IPA is a centrally managed identity and access control system, should > >these configurations not be passed to clients, rather than every client > >needing configuration changes post join? Obviously I can automate config > >changes, but why would I want to? I don't think sudoers priv is a fringe > >case, its pretty much THE case for access/admin control. I cringe to > >compare to a Windows domain, but I don't have to manually tell a domain > >client that it should respect the rules I set on a domain controller, I > >joined it to the domain for this reason. > When majority of expected features are already implemented, it is easy > to fall into assumption that everything has to be complete from start. > That's understandable but we are dealing with a living and evolving > project where a feature addition often means integrating across multiple > actual free software projects, all with their own priorities and > schedules, step by step, or things will never happen. > > SUDO integration is not an exception here. First we needed to expand > SUDO's support for external plugins. When SUDO data was placed in LDAP, > it appeared that existing schema isn't really optimal, so FreeIPA schema > was designed better (but incompatible with existing one from SUDO LDAP), > but required a compatibility part to work with existing SUDO LDAP > plugin. Next, we implemented SUDO provider in SSSD for the existing SUDO > LDAP schema as it gave SSSD wider coverage of SUDO support. Now we > implemented support for native FreeIPA schema. The next step is to > integrate configuration of it in ipa-client-install so that clients will > get set up properly if there are SUDO rules configured on the server or > ipa-client-install was actually given a bless from the admin (via CLI > option or answering a question). > > It takes time and effort. Unsurprisingly, this is a relatively minor > feature in the grand picture because we have dozens of such features all > asking for attention and time, and our development teams are not > expanding infinitely regardless how we all wished. :) > > Any help is welcome!
By the way the native sudo backend is being worked on actively by an external contributor in the form of a thesis. We expect to have it implemented by May. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users