On Tue, 30 Aug 2016, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Tue, 30 Aug 2016, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Tue, 30 Aug 2016, Deepak Dimri wrote:
Ok i got it now. Let me try this with role + privilege having three set
of permissions 1) memberOf hostgroup to manage the permissions to the
hosts 2) permission on cn=hostgroup to manage the hosts membership with
in the given group 3) permission for "member attribute" to allow
add/delation of hosts membership based on the "member attribute"
value.I need to go through the link you shared in the meanwhile a quick
question can i add a custom attribute something like AWS EC2 resource
tag as the member attribute of an host? i am just wondering what
all/else could be an member attribute other than AWS EC2 instance
name...
Each ipaHost object has userClass attribute. The semantics are described
in RFC 4524, section 2.25. We don't use it for anything ourselves, it
has a DirectoryString type (UTF-8-encoded string).
userClass is used for auto membership.
You mean it can be used. At least I don't see pre-defined automember
rules with userClass. We even tell in the 'ipa host-mod' about --class
option:
--class=STR Host category (semantics placed on this
attribute are
for local interpretation)
Perhaps but this attribute was added specifically for this use case,
http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
Sure, it still means semantics are locally interpreted by whoever does
the deployment. I doubt anything in Deepak's setup relies on userClass
yet.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
