Re: [Freeipa-devel] Host groups and netgroups
JR Aquino wrote: On 11/24/10 11:19 AM, Dmitri Pal d...@redhat.com wrote: Hello, It is well known that with IPA we want to try to move people from the netgroups to host groups but many companies currently use netgroups as hostgroups. To simplify migration I suggest that we by default always create a managed nisnetgroup entry that would map 1-1 to the host group using managed entry plugin. The logic would work the following way: 1) When the host group is created the netgroup also will be created with the same name and memberHost attribute pointing to the DN of the newly created host group 2) The deletion of the host group will automatically remove managed netgroup 3) The rename of the host group (if allowed) should cause the managed group to be renamed too. In the UI/CLI we will filter out managed netgroups in all cases related to identity part of the server (list of netgroups, users members of the netgroup, hosts members of netgroup, ect.). The netgroups will be available only in the special cases like SUDO plugin. The work will consist of: 1) Defining the managed entry plugin config for this case 2) Adding this configuration to the installation sequence 3) Updating netgroup searches to filter out managed entries 4) Allow all netgroups in SUDO plugin (I think this is already the case). If this proposal looks reasonable I will open a ticket. JR will you be able to provide a patch that does all of this since this is not exactly what we originally planned? This proposal looks reasonable. I will be working this week to explore handling this in either the 'Managed Entries' or 'Plugin' Route to see which is the most appropriate. I opened a ticket https://fedorahosted.org/freeipa/ticket/543 JR do you have a Fedora account? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Host groups and netgroups
On 11/24/10 11:19 AM, Dmitri Pal d...@redhat.com wrote: Hello, It is well known that with IPA we want to try to move people from the netgroups to host groups but many companies currently use netgroups as hostgroups. To simplify migration I suggest that we by default always create a managed nisnetgroup entry that would map 1-1 to the host group using managed entry plugin. The logic would work the following way: 1) When the host group is created the netgroup also will be created with the same name and memberHost attribute pointing to the DN of the newly created host group 2) The deletion of the host group will automatically remove managed netgroup 3) The rename of the host group (if allowed) should cause the managed group to be renamed too. In the UI/CLI we will filter out managed netgroups in all cases related to identity part of the server (list of netgroups, users members of the netgroup, hosts members of netgroup, ect.). The netgroups will be available only in the special cases like SUDO plugin. The work will consist of: 1) Defining the managed entry plugin config for this case 2) Adding this configuration to the installation sequence 3) Updating netgroup searches to filter out managed entries 4) Allow all netgroups in SUDO plugin (I think this is already the case). If this proposal looks reasonable I will open a ticket. JR will you be able to provide a patch that does all of this since this is not exactly what we originally planned? This proposal looks reasonable. I will be working this week to explore handling this in either the 'Managed Entries' or 'Plugin' Route to see which is the most appropriate. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Host groups and netgroups
Hello, It is well known that with IPA we want to try to move people from the netgroups to host groups but many companies currently use netgroups as hostgroups. To simplify migration I suggest that we by default always create a managed nisnetgroup entry that would map 1-1 to the host group using managed entry plugin. The logic would work the following way: 1) When the host group is created the netgroup also will be created with the same name and memberHost attribute pointing to the DN of the newly created host group 2) The deletion of the host group will automatically remove managed netgroup 3) The rename of the host group (if allowed) should cause the managed group to be renamed too. In the UI/CLI we will filter out managed netgroups in all cases related to identity part of the server (list of netgroups, users members of the netgroup, hosts members of netgroup, ect.). The netgroups will be available only in the special cases like SUDO plugin. The work will consist of: 1) Defining the managed entry plugin config for this case 2) Adding this configuration to the installation sequence 3) Updating netgroup searches to filter out managed entries 4) Allow all netgroups in SUDO plugin (I think this is already the case). If this proposal looks reasonable I will open a ticket. JR will you be able to provide a patch that does all of this since this is not exactly what we originally planned? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Host groups and netgroups
If this proposal looks reasonable I will open a ticket. JR will you be able to provide a patch that does all of this since this is not exactly what we originally planned? Your premise makes a lot of sense. This is very promising news Dmitri. Let me consider how I would accommodate the patch, and get back to you early next week with an official answer on commitment. -- Thanks! -JR ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel