On Apr 22, 2011, at 12:53 PM, Rob Crittenden wrote:

> JR Aquino wrote:
>> On Apr 12, 2011, at 9:45 AM, JR Aquino wrote:
>> 
>>> Add HBAC Rule and Sudo Rule to users as indirect member attributes to 
>>> simplify the auditing of users for their indirect membership to their 
>>> authorization rights.
>>> 
>>> An Administrator should have the ability to quickly identify the rights a 
>>> user will have in the system.
>>> 
>>> For example. With the patch added, my user show looks like this:
>>> 
>>> # ipa user-show tester --all
>>>  dn: uid=builder,cn=users,cn=accounts,dc=example,dc=com
>>>  User login: tester
>>>  First name: Tester
>>>  Last name: Engineering
>>>  Full name: Tester Engineering
>>>  Display name: Tester Engineering
>>>  Initials: TE
>>>  Home directory: /home/tester
>>>  GECOS field: Tester Engineering
>>>  Login shell: /bin/sh
>>>  Kerberos principal: tes...@example.com
>>>  UID: 1829800388
>>>  GID: 1829800388
>>>  Account disabled: False
>>>  Member of groups: ipausers, auto-dev-deploy-tools, build-integration
>>>  ipauniqueid: 72fa22c6-6085-11e0-9629-0023aefe4ec0
>>>  krbpwdpolicyreference: 
>>> cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
>>>  memberofindirect_HBAC rule: development
>>>  memberofindirect_Sudo Rule: AUTO-dev-deploy-tools_DEPLOY, 
>>> AUTO-dev-deploy-tools_ZENOSS, build-integration
>>>  mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=example,dc=com
>>>  objectclass: top, person, organizationalperson, inetorgperson, inetuser, 
>>> posixaccount
>>> 
>>> <freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-indirectmemberof-attrib.patch>_______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> 
>> 
>> OPPS, forgot to have PATCH in the subject.
>> 
> 
> I think you need this as well, right?
> 
> -        'memberof': ['group', 'netgroup', 'role'],
> +        'memberof': ['group', 'netgroup', 'role', 'sudorule', 'hbacrule'],

Yes, you are right, the users can individually be assigned to rules directly.


Attachment: binZep0wDn7Vt.bin
Description: freeipa-jraquino-0024-Add-sudorule-and-hbacrule-to-memberof-indirectmemberof-attrib.patch

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to