Re: [Freeipa-devel] Host groups and netgroups
JR Aquino wrote: > On 11/24/10 11:19 AM, "Dmitri Pal" wrote: > > >> Hello, >> >> It is well known that with IPA we want to try to move people from the >> netgroups to host groups but many companies currently use netgroups as >> hostgroups. To simplify migration I suggest that we by default always >> create a managed "nisnetgroup" entry that would map 1-1 to the host >> group using managed entry plugin. The logic would work the following way: >> >> 1) When the host group is created the netgroup also will be created with >> the same name and memberHost attribute pointing to the DN of the newly >> created host group >> 2) The deletion of the host group will automatically remove managed >> netgroup >> 3) The rename of the host group (if allowed) should cause the managed >> group to be renamed too. >> >> In the UI/CLI we will filter out managed netgroups in all cases related >> to identity part of the server (list of netgroups, users members of the >> netgroup, hosts members of netgroup, ect.). The netgroups will be >> available only in the special cases like SUDO plugin. >> >> The work will consist of: >> 1) Defining the managed entry plugin config for this case >> 2) Adding this configuration to the installation sequence >> 3) Updating netgroup searches to filter out managed entries >> 4) Allow all netgroups in SUDO plugin (I think this is already the case). >> >> If this proposal looks reasonable I will open a ticket. >> JR will you be able to provide a patch that does all of this since this >> is not exactly what we originally planned? >> > > This proposal looks reasonable. > > I will be working this week to explore handling this in either the > 'Managed Entries' or 'Plugin' Route to see which is the most appropriate. > > I opened a ticket https://fedorahosted.org/freeipa/ticket/543 JR do you have a Fedora account? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Host groups and netgroups
On 11/24/10 11:19 AM, "Dmitri Pal" wrote: >Hello, > >It is well known that with IPA we want to try to move people from the >netgroups to host groups but many companies currently use netgroups as >hostgroups. To simplify migration I suggest that we by default always >create a managed "nisnetgroup" entry that would map 1-1 to the host >group using managed entry plugin. The logic would work the following way: > >1) When the host group is created the netgroup also will be created with >the same name and memberHost attribute pointing to the DN of the newly >created host group >2) The deletion of the host group will automatically remove managed >netgroup >3) The rename of the host group (if allowed) should cause the managed >group to be renamed too. > >In the UI/CLI we will filter out managed netgroups in all cases related >to identity part of the server (list of netgroups, users members of the >netgroup, hosts members of netgroup, ect.). The netgroups will be >available only in the special cases like SUDO plugin. > >The work will consist of: >1) Defining the managed entry plugin config for this case >2) Adding this configuration to the installation sequence >3) Updating netgroup searches to filter out managed entries >4) Allow all netgroups in SUDO plugin (I think this is already the case). > >If this proposal looks reasonable I will open a ticket. >JR will you be able to provide a patch that does all of this since this >is not exactly what we originally planned? This proposal looks reasonable. I will be working this week to explore handling this in either the 'Managed Entries' or 'Plugin' Route to see which is the most appropriate. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Host groups and netgroups
>If this proposal looks reasonable I will open a ticket. >JR will you be able to provide a patch that does all of this since this >is not exactly what we originally planned? Your premise makes a lot of sense. This is very promising news Dmitri. Let me consider how I would accommodate the patch, and get back to you early next week with an official answer on commitment. -- Thanks! -JR ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel