Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
What is the preferred IPA platform for performing this endeavor? Would it be best to create an environment, virtual or physical, that has RHEL6 update 4 fully patched and IdM installed? or would Fedora 18 with the http://jdennis.fedorapeople.org/ipa-devel/fedora/18/x86_64/os/ yum repository enabled be better for this development? Thanks, Rodney. On Tue, 2013-02-26 at 14:34 -0500, Dmitri Pal wrote: On 02/25/2013 02:29 PM, Mercer, Rodney wrote: I think that this is a good explanation or the solaris rbac model. http://www.softpanorama.org/Solaris/Security/solaris_rbac.shtml Regards, Rodney. I will definitely read it. But assume I did. What are the next steps? The schema is the right one so do you plan to start the design work? Would you start with the server side or with SSSD side? Adding schema to IPA and populating it with ldap modify or my loading ldif might give you enough to start designing and developing the SSSD component. The management interface for the server side can be added after the SSSD side is done. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
Rodney L. Mercer wrote: What is the preferred IPA platform for performing this endeavor? Would it be best to create an environment, virtual or physical, that has RHEL6 update 4 fully patched and IdM installed? or would Fedora 18 with the http://jdennis.fedorapeople.org/ipa-devel/fedora/18/x86_64/os/ yum repository enabled be better for this development? Building from git would make it easier to manage the changes and get the submitted upstream, otherwise I'd say go with F-18 builds as they are closer to the master branch than RHEL 6.4 (which is based on 3.0). regards rob Thanks, Rodney. On Tue, 2013-02-26 at 14:34 -0500, Dmitri Pal wrote: On 02/25/2013 02:29 PM, Mercer, Rodney wrote: I think that this is a good explanation or the solaris rbac model. http://www.softpanorama.org/Solaris/Security/solaris_rbac.shtml Regards, Rodney. I will definitely read it. But assume I did. What are the next steps? The schema is the right one so do you plan to start the design work? Would you start with the server side or with SSSD side? Adding schema to IPA and populating it with ldap modify or my loading ldif might give you enough to start designing and developing the SSSD component. The management interface for the server side can be added after the SSSD side is done. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
On 02/25/2013 02:29 PM, Mercer, Rodney wrote: I think that this is a good explanation or the solaris rbac model. http://www.softpanorama.org/Solaris/Security/solaris_rbac.shtml Regards, Rodney. I will definitely read it. But assume I did. What are the next steps? The schema is the right one so do you plan to start the design work? Would you start with the server side or with SSSD side? Adding schema to IPA and populating it with ldap modify or my loading ldif might give you enough to start designing and developing the SSSD component. The management interface for the server side can be added after the SSSD side is done. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
On Mon, 2013-02-25 at 18:48 +, Mercer, Rodney wrote: On Thu, 2013-02-21 at 03:53 -0500, Dmitri Pal wrote: On 02/20/2013 08:44 AM, Rodney L. Mercer wrote: On Tue, 2013-02-19 at 21:05 -0500, Dmitri Pal wrote: On 02/19/2013 09:14 AM, Rodney L. Mercer wrote: On Sun, 2013-02-17 at 13:31 -0500, Dmitri Pal wrote: On 02/16/2013 12:14 PM, Mercer, Rodney wrote: From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Saturday, February 16, 2013 6:29 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC On 02/15/2013 10:31 PM, Dmitri Pal wrote: On 02/15/2013 09:17 AM, Rodney L. Mercer wrote: On Thu, 2013-02-14 at 21:44 +0100, Sigbjorn Lie wrote: I agree with schema support being enough for now. I do not expect the ipa mgmt tools to support Solaris rbac mgmt. The ipa mgmt tools are great, but I already have other data in the ipa ldap that I have to manage manually anyway. Rgds, Siggi Rob Crittenden rcrit...@redhat.com wrote: Dag Wieers wrote: On Thu, 14 Feb 2013, Rob Crittenden wrote: Sigbjorn Lie wrote: On 02/13/2013 04:10 PM, Rob Crittenden wrote: Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solar is ? (We noticed that RBAC mentioned in the IPA web interface only relates toIPA management). No, IPA doesn't support RBAC on Solaris. I've come across the same issue. This is just a matter of extending the schema. Would there be any interest for adding the Solaris RBAC schema as a part of the standard IPA distributed LDAP schema? Consider the following: What else would have to be put in to support this? Once the schema is established, can SSSD be extended to use this and potentially be referenced in nsswitch.conf as it is implemented on Solaris? IE: tail -5 /etc/nsswitch.conf user_attr: sssd auth_attr: sssd prof_attr: sssd exec_attr: sssd project:sssd Before we define how it is passed/exposed it would nice to understand who on Linux will be consuming it out of SSSD? I don't think Linux would consume these attributes. They are specific to the Role Based Access Control solution implemented in Solaris. Rgds, Siggi -- Yes, I understand that Linux has no mechanism currently built in to consume these Solaris name server switch attributes. But, If the Solaris RBAC schema is included as part of the standard IPA distributed LDAP schema, My question is how hard would it be to create an extension using SSSD/pam to do so? I agree that it is too much to ask for a full Solaris style RBAC implementation on RHEL. We have an application that currently uses the Solaris RBAC structure to authorize user/role accesses within the application. Our goal is to use existing OS calls or possibly extending SSSD to allow system calls that would give us back an answer to attrbutes placed within the LDAP tree that are composed in like fashion as how they are stored in Solaris. Defining the schema seemed to be well received and I understand that it is intended that it would be there to support Solaris clients. If SSSD could be extended to access these attributes and possibly pam modules to allow Linux clients to take advantage of this RBAC schema, then our application could perform as it does on Solaris. It would also open up the opportunity for other vendors to consider moving their Solaris RBAC applications to RHEL. I think with that as a goal, we could then create users and SELinux roles that are defined within the RBAC based schema much like our current Solaris implementation. We use Solaris nsswitch calls to get yes/no authorization answers for user/role privilege within our application. Since IdM and SSD already support a) HBAC b) SUDO c) SELinux user mapping I believe HBAC as already implemented in IdM will be an additional asset in defining and restricting access
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
On 02/20/2013 08:44 AM, Rodney L. Mercer wrote: On Tue, 2013-02-19 at 21:05 -0500, Dmitri Pal wrote: On 02/19/2013 09:14 AM, Rodney L. Mercer wrote: On Sun, 2013-02-17 at 13:31 -0500, Dmitri Pal wrote: On 02/16/2013 12:14 PM, Mercer, Rodney wrote: From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Saturday, February 16, 2013 6:29 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC On 02/15/2013 10:31 PM, Dmitri Pal wrote: On 02/15/2013 09:17 AM, Rodney L. Mercer wrote: On Thu, 2013-02-14 at 21:44 +0100, Sigbjorn Lie wrote: I agree with schema support being enough for now. I do not expect the ipa mgmt tools to support Solaris rbac mgmt. The ipa mgmt tools are great, but I already have other data in the ipa ldap that I have to manage manually anyway. Rgds, Siggi Rob Crittenden rcrit...@redhat.com wrote: Dag Wieers wrote: On Thu, 14 Feb 2013, Rob Crittenden wrote: Sigbjorn Lie wrote: On 02/13/2013 04:10 PM, Rob Crittenden wrote: Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solar is ? (We noticed that RBAC mentioned in the IPA web interface only relates toIPA management). No, IPA doesn't support RBAC on Solaris. I've come across the same issue. This is just a matter of extending the schema. Would there be any interest for adding the Solaris RBAC schema as a part of the standard IPA distributed LDAP schema? Consider the following: What else would have to be put in to support this? Once the schema is established, can SSSD be extended to use this and potentially be referenced in nsswitch.conf as it is implemented on Solaris? IE: tail -5 /etc/nsswitch.conf user_attr: sssd auth_attr: sssd prof_attr: sssd exec_attr: sssd project:sssd Before we define how it is passed/exposed it would nice to understand who on Linux will be consuming it out of SSSD? I don't think Linux would consume these attributes. They are specific to the Role Based Access Control solution implemented in Solaris. Rgds, Siggi -- Yes, I understand that Linux has no mechanism currently built in to consume these Solaris name server switch attributes. But, If the Solaris RBAC schema is included as part of the standard IPA distributed LDAP schema, My question is how hard would it be to create an extension using SSSD/pam to do so? I agree that it is too much to ask for a full Solaris style RBAC implementation on RHEL. We have an application that currently uses the Solaris RBAC structure to authorize user/role accesses within the application. Our goal is to use existing OS calls or possibly extending SSSD to allow system calls that would give us back an answer to attrbutes placed within the LDAP tree that are composed in like fashion as how they are stored in Solaris. Defining the schema seemed to be well received and I understand that it is intended that it would be there to support Solaris clients. If SSSD could be extended to access these attributes and possibly pam modules to allow Linux clients to take advantage of this RBAC schema, then our application could perform as it does on Solaris. It would also open up the opportunity for other vendors to consider moving their Solaris RBAC applications to RHEL. I think with that as a goal, we could then create users and SELinux roles that are defined within the RBAC based schema much like our current Solaris implementation. We use Solaris nsswitch calls to get yes/no authorization answers for user/role privilege within our application. Since IdM and SSD already support a) HBAC b) SUDO c) SELinux user mapping I believe HBAC as already implemented in IdM will be an additional asset in defining and restricting access that can be used by our customers. We have decided to move away from sudo, but may reconsider some of its uses if it suits the situation. Maybe SSSD can be extended to access the RBAC schema in much the same way that it accesses SUDO or HBAC schema? We have decided to use RHEL
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
On 02/19/2013 09:14 AM, Rodney L. Mercer wrote: On Sun, 2013-02-17 at 13:31 -0500, Dmitri Pal wrote: On 02/16/2013 12:14 PM, Mercer, Rodney wrote: From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Saturday, February 16, 2013 6:29 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC On 02/15/2013 10:31 PM, Dmitri Pal wrote: On 02/15/2013 09:17 AM, Rodney L. Mercer wrote: On Thu, 2013-02-14 at 21:44 +0100, Sigbjorn Lie wrote: I agree with schema support being enough for now. I do not expect the ipa mgmt tools to support Solaris rbac mgmt. The ipa mgmt tools are great, but I already have other data in the ipa ldap that I have to manage manually anyway. Rgds, Siggi Rob Crittenden rcrit...@redhat.com wrote: Dag Wieers wrote: On Thu, 14 Feb 2013, Rob Crittenden wrote: Sigbjorn Lie wrote: On 02/13/2013 04:10 PM, Rob Crittenden wrote: Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solar is ? (We noticed that RBAC mentioned in the IPA web interface only relates toIPA management). No, IPA doesn't support RBAC on Solaris. I've come across the same issue. This is just a matter of extending the schema. Would there be any interest for adding the Solaris RBAC schema as a part of the standard IPA distributed LDAP schema? Consider the following: What else would have to be put in to support this? Once the schema is established, can SSSD be extended to use this and potentially be referenced in nsswitch.conf as it is implemented on Solaris? IE: tail -5 /etc/nsswitch.conf user_attr: sssd auth_attr: sssd prof_attr: sssd exec_attr: sssd project:sssd Before we define how it is passed/exposed it would nice to understand who on Linux will be consuming it out of SSSD? I don't think Linux would consume these attributes. They are specific to the Role Based Access Control solution implemented in Solaris. Rgds, Siggi -- Yes, I understand that Linux has no mechanism currently built in to consume these Solaris name server switch attributes. But, If the Solaris RBAC schema is included as part of the standard IPA distributed LDAP schema, My question is how hard would it be to create an extension using SSSD/pam to do so? I agree that it is too much to ask for a full Solaris style RBAC implementation on RHEL. We have an application that currently uses the Solaris RBAC structure to authorize user/role accesses within the application. Our goal is to use existing OS calls or possibly extending SSSD to allow system calls that would give us back an answer to attrbutes placed within the LDAP tree that are composed in like fashion as how they are stored in Solaris. Defining the schema seemed to be well received and I understand that it is intended that it would be there to support Solaris clients. If SSSD could be extended to access these attributes and possibly pam modules to allow Linux clients to take advantage of this RBAC schema, then our application could perform as it does on Solaris. It would also open up the opportunity for other vendors to consider moving their Solaris RBAC applications to RHEL. I think with that as a goal, we could then create users and SELinux roles that are defined within the RBAC based schema much like our current Solaris implementation. We use Solaris nsswitch calls to get yes/no authorization answers for user/role privilege within our application. Since IdM and SSD already support a) HBAC b) SUDO c) SELinux user mapping I believe HBAC as already implemented in IdM will be an additional asset in defining and restricting access that can be used by our customers. We have decided to move away from sudo, but may reconsider some of its uses if it suits the situation. Maybe SSSD can be extended to access the RBAC schema in much the same way that it accesses SUDO or HBAC schema? We have decided to use RHEL as the primary OS platform of choice going forward and we need to create a solution to our application
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
On 02/16/2013 12:14 PM, Mercer, Rodney wrote: From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Saturday, February 16, 2013 6:29 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC On 02/15/2013 10:31 PM, Dmitri Pal wrote: On 02/15/2013 09:17 AM, Rodney L. Mercer wrote: On Thu, 2013-02-14 at 21:44 +0100, Sigbjorn Lie wrote: I agree with schema support being enough for now. I do not expect the ipa mgmt tools to support Solaris rbac mgmt. The ipa mgmt tools are great, but I already have other data in the ipa ldap that I have to manage manually anyway. Rgds, Siggi Rob Crittenden rcrit...@redhat.com wrote: Dag Wieers wrote: On Thu, 14 Feb 2013, Rob Crittenden wrote: Sigbjorn Lie wrote: On 02/13/2013 04:10 PM, Rob Crittenden wrote: Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solar is ? (We noticed that RBAC mentioned in the IPA web interface only relates toIPA management). No, IPA doesn't support RBAC on Solaris. I've come across the same issue. This is just a matter of extending the schema. Would there be any interest for adding the Solaris RBAC schema as a part of the standard IPA distributed LDAP schema? Consider the following: What else would have to be put in to support this? Once the schema is established, can SSSD be extended to use this and potentially be referenced in nsswitch.conf as it is implemented on Solaris? IE: tail -5 /etc/nsswitch.conf user_attr: sssd auth_attr: sssd prof_attr: sssd exec_attr: sssd project:sssd Before we define how it is passed/exposed it would nice to understand who on Linux will be consuming it out of SSSD? I don't think Linux would consume these attributes. They are specific to the Role Based Access Control solution implemented in Solaris. Rgds, Siggi -- Yes, I understand that Linux has no mechanism currently built in to consume these Solaris name server switch attributes. But, If the Solaris RBAC schema is included as part of the standard IPA distributed LDAP schema, My question is how hard would it be to create an extension using SSSD/pam to do so? I agree that it is too much to ask for a full Solaris style RBAC implementation on RHEL. We have an application that currently uses the Solaris RBAC structure to authorize user/role accesses within the application. Our goal is to use existing OS calls or possibly extending SSSD to allow system calls that would give us back an answer to attrbutes placed within the LDAP tree that are composed in like fashion as how they are stored in Solaris. Defining the schema seemed to be well received and I understand that it is intended that it would be there to support Solaris clients. If SSSD could be extended to access these attributes and possibly pam modules to allow Linux clients to take advantage of this RBAC schema, then our application could perform as it does on Solaris. It would also open up the opportunity for other vendors to consider moving their Solaris RBAC applications to RHEL. I think with that as a goal, we could then create users and SELinux roles that are defined within the RBAC based schema much like our current Solaris implementation. We use Solaris nsswitch calls to get yes/no authorization answers for user/role privilege within our application. Since IdM and SSD already support a) HBAC b) SUDO c) SELinux user mapping I believe HBAC as already implemented in IdM will be an additional asset in defining and restricting access that can be used by our customers. We have decided to move away from sudo, but may reconsider some of its uses if it suits the situation. Maybe SSSD can be extended to access the RBAC schema in much the same way that it accesses SUDO or HBAC schema? We have decided to use RHEL as the primary OS platform of choice going forward and we need to create a solution to our application RBAC needs similar to that in which we have accomplished with Solaris. I have been speaking
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
On 02/15/2013 03:17 PM, Rodney L. Mercer wrote: On Thu, 2013-02-14 at 21:44 +0100, Sigbjorn Lie wrote: I agree with schema support being enough for now. I do not expect the ipa mgmt tools to support Solaris rbac mgmt. The ipa mgmt tools are great, but I already have other data in the ipa ldap that I have to manage manually anyway. Rgds, Siggi Rob Crittenden rcrit...@redhat.com wrote: Dag Wieers wrote: On Thu, 14 Feb 2013, Rob Crittenden wrote: Sigbjorn Lie wrote: On 02/13/2013 04:10 PM, Rob Crittenden wrote: Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solar is ? (We noticed that RBAC mentioned in the IPA web interface only relates toIPA management). No, IPA doesn't support RBAC on Solaris. I've come across the same issue. This is just a matter of extending the schema. Would there be any interest for adding the Solaris RBAC schema as a part of the standard IPA distributed LDAP schemas? Consider the following: What else would have to be put in to support this? Once the schema is established, can SSSD be extended to use this and potentially be referenced in nsswitch.conf as it is implemented on Solaris? IE: tail -5 /etc/nsswitch.conf user_attr: sssd auth_attr: sssd prof_attr: sssd exec_attr: sssd project:sssd Do you use SSSD on Solaris? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
On 02/15/2013 10:31 PM, Dmitri Pal wrote: On 02/15/2013 09:17 AM, Rodney L. Mercer wrote: On Thu, 2013-02-14 at 21:44 +0100, Sigbjorn Lie wrote: I agree with schema support being enough for now. I do not expect the ipa mgmt tools to support Solaris rbac mgmt. The ipa mgmt tools are great, but I already have other data in the ipa ldap that I have to manage manually anyway. Rgds, Siggi Rob Crittenden rcrit...@redhat.com wrote: Dag Wieers wrote: On Thu, 14 Feb 2013, Rob Crittenden wrote: Sigbjorn Lie wrote: On 02/13/2013 04:10 PM, Rob Crittenden wrote: Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solar is ? (We noticed that RBAC mentioned in the IPA web interface only relates toIPA management). No, IPA doesn't support RBAC on Solaris. I've come across the same issue. This is just a matter of extending the schema. Would there be any interest for adding the Solaris RBAC schema as a part of the standard IPA distributed LDAP schemas? Consider the following: What else would have to be put in to support this? Once the schema is established, can SSSD be extended to use this and potentially be referenced in nsswitch.conf as it is implemented on Solaris? IE: tail -5 /etc/nsswitch.conf user_attr: sssd auth_attr: sssd prof_attr: sssd exec_attr: sssd project:sssd Before we define how it is passed/exposed it would nice to understand who on Linux will be consuming it out of SSSD? I don't think Linux would consume these attributes. They are specific to the Role Based Access Control solution implemented in Solaris. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Saturday, February 16, 2013 6:29 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC On 02/15/2013 10:31 PM, Dmitri Pal wrote: On 02/15/2013 09:17 AM, Rodney L. Mercer wrote: On Thu, 2013-02-14 at 21:44 +0100, Sigbjorn Lie wrote: I agree with schema support being enough for now. I do not expect the ipa mgmt tools to support Solaris rbac mgmt. The ipa mgmt tools are great, but I already have other data in the ipa ldap that I have to manage manually anyway. Rgds, Siggi Rob Crittenden rcrit...@redhat.com wrote: Dag Wieers wrote: On Thu, 14 Feb 2013, Rob Crittenden wrote: Sigbjorn Lie wrote: On 02/13/2013 04:10 PM, Rob Crittenden wrote: Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solar is ? (We noticed that RBAC mentioned in the IPA web interface only relates toIPA management). No, IPA doesn't support RBAC on Solaris. I've come across the same issue. This is just a matter of extending the schema. Would there be any interest for adding the Solaris RBAC schema as a part of the standard IPA distributed LDAP schema? Consider the following: What else would have to be put in to support this? Once the schema is established, can SSSD be extended to use this and potentially be referenced in nsswitch.conf as it is implemented on Solaris? IE: tail -5 /etc/nsswitch.conf user_attr: sssd auth_attr: sssd prof_attr: sssd exec_attr: sssd project:sssd Before we define how it is passed/exposed it would nice to understand who on Linux will be consuming it out of SSSD? I don't think Linux would consume these attributes. They are specific to the Role Based Access Control solution implemented in Solaris. Rgds, Siggi -- Yes, I understand that Linux has no mechanism currently built in to consume these Solaris name server switch attributes. But, If the Solaris RBAC schema is included as part of the standard IPA distributed LDAP schema, My question is how hard would it be to create an extension using SSSD/pam to do so? I agree that it is too much to ask for a full Solaris style RBAC implementation on RHEL. We have an application that currently uses the Solaris RBAC structure to authorize user/role accesses within the application. Our goal is to use existing OS calls or possibly extending SSSD to allow system calls that would give us back an answer to attrbutes placed within the LDAP tree that are composed in like fashion as how they are stored in Solaris. Defining the schema seemed to be well received and I understand that it is intended that it would be there to support Solaris clients. If SSSD could be extended to access these attributes and possibly pam modules to allow Linux clients to take advantage of this RBAC schema, then our application could perform as it does on Solaris. It would also open up the opportunity for other vendors to consider moving their Solaris RBAC applications to RHEL. I think with that as a goal, we could then create users and SELinux roles that are defined within the RBAC based schema much like our current Solaris implementation. We use Solaris nsswitch calls to get yes/no authorization answers for user/role privilege within our application. Since IdM and SSD already support a) HBAC b) SUDO c) SELinux user mapping I believe HBAC as already implemented in IdM will be an additional asset in defining and restricting access that can be used by our customers. We have decided to move away from sudo, but may reconsider some of its uses if it suits the situation. Maybe SSSD can be extended to access the RBAC schema in much the same way that it accesses SUDO or HBAC schema? We have decided to use RHEL as the primary OS platform of choice going forward and we need to create a solution to our application RBAC needs similar to that in which we have accomplished with Solaris. I have been speaking with Dmitri on the side about these possibilities and would like to know what each of your thoughts
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
On Thu, 2013-02-14 at 21:44 +0100, Sigbjorn Lie wrote: I agree with schema support being enough for now. I do not expect the ipa mgmt tools to support Solaris rbac mgmt. The ipa mgmt tools are great, but I already have other data in the ipa ldap that I have to manage manually anyway. Rgds, Siggi Rob Crittenden rcrit...@redhat.com wrote: Dag Wieers wrote: On Thu, 14 Feb 2013, Rob Crittenden wrote: Sigbjorn Lie wrote: On 02/13/2013 04:10 PM, Rob Crittenden wrote: Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solar is ? (We noticed that RBAC mentioned in the IPA web interface only relates toIPA management). No, IPA doesn't support RBAC on Solaris. I've come across the same issue. This is just a matter of extending the schema. Would there be any interest for adding the Solaris RBAC schema as a part of the standard IPA distributed LDAP schemas? Consider the following: What else would have to be put in to support this? Once the schema is established, can SSSD be extended to use this and potentially be referenced in nsswitch.conf as it is implemented on Solaris? IE: tail -5 /etc/nsswitch.conf user_attr: sssd auth_attr: sssd prof_attr: sssd exec_attr: sssd project:sssd Is the schema enough? Won't people want a way from IPA to manage the data too? Of course, integration in IPA is better, but having the schema integrated is a good first step. Besides, integration in IPA probably won't happen without RBAC support in Fedora/RHEL, right ? Right, and it is a bit beyond our scope to create a compatible RBAC solution. rob -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
On 02/15/2013 09:17 AM, Rodney L. Mercer wrote: On Thu, 2013-02-14 at 21:44 +0100, Sigbjorn Lie wrote: I agree with schema support being enough for now. I do not expect the ipa mgmt tools to support Solaris rbac mgmt. The ipa mgmt tools are great, but I already have other data in the ipa ldap that I have to manage manually anyway. Rgds, Siggi Rob Crittenden rcrit...@redhat.com wrote: Dag Wieers wrote: On Thu, 14 Feb 2013, Rob Crittenden wrote: Sigbjorn Lie wrote: On 02/13/2013 04:10 PM, Rob Crittenden wrote: Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solar is ? (We noticed that RBAC mentioned in the IPA web interface only relates toIPA management). No, IPA doesn't support RBAC on Solaris. I've come across the same issue. This is just a matter of extending the schema. Would there be any interest for adding the Solaris RBAC schema as a part of the standard IPA distributed LDAP schemas? Consider the following: What else would have to be put in to support this? Once the schema is established, can SSSD be extended to use this and potentially be referenced in nsswitch.conf as it is implemented on Solaris? IE: tail -5 /etc/nsswitch.conf user_attr: sssd auth_attr: sssd prof_attr: sssd exec_attr: sssd project:sssd Before we define how it is passed/exposed it would nice to understand who on Linux will be consuming it out of SSSD? Is the schema enough? Won't people want a way from IPA to manage the data too? Of course, integration in IPA is better, but having the schema integrated is a good first step. Besides, integration in IPA probably won't happen without RBAC support in Fedora/RHEL, right ? Right, and it is a bit beyond our scope to create a compatible RBAC solution. rob -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
On 02/13/2013 04:10 PM, Rob Crittenden wrote: Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solaris ? (We noticed that RBAC mentioned in the IPA web interface only relates to IPA management). No, IPA doesn't support RBAC on Solaris. I've come across the same issue. This is just a matter of extending the schema. Would there be any interest for adding the Solaris RBAC schema as a part of the standard IPA distributed LDAP schemas? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
Sigbjorn Lie wrote: On 02/13/2013 04:10 PM, Rob Crittenden wrote: Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solaris ? (We noticed that RBAC mentioned in the IPA web interface only relates to IPA management). No, IPA doesn't support RBAC on Solaris. I've come across the same issue. This is just a matter of extending the schema. Would there be any interest for adding the Solaris RBAC schema as a part of the standard IPA distributed LDAP schemas? Is the schema enough? Won't people want a way from IPA to manage the data too? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
On Thu, 2013-02-14 at 18:56 +0100, Sigbjorn Lie wrote: On 02/13/2013 04:10 PM, Rob Crittenden wrote: Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solaris ? (We noticed that RBAC mentioned in the IPA web interface only relates to IPA management). No, IPA doesn't support RBAC on Solaris. I've come across the same issue. This is just a matter of extending the schema. Would there be any interest for adding the Solaris RBAC schema as a part of the standard IPA distributed LDAP schemas? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-usersSiggi, Yes, I had asked for this back in late 2011. I am glad to see that Dag Wieers is asking for it also. https://www.redhat.com/archives/freeipa-users/2011-November/msg00053.html Regards, Rodney. -- Rodney Mercer Systems Administrator ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
On Thu, 14 Feb 2013, Rob Crittenden wrote: Sigbjorn Lie wrote: On 02/13/2013 04:10 PM, Rob Crittenden wrote: Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solaris ? (We noticed that RBAC mentioned in the IPA web interface only relates to IPA management). No, IPA doesn't support RBAC on Solaris. I've come across the same issue. This is just a matter of extending the schema. Would there be any interest for adding the Solaris RBAC schema as a part of the standard IPA distributed LDAP schemas? Is the schema enough? Won't people want a way from IPA to manage the data too? Of course, integration in IPA is better, but having the schema integrated is a good first step. Besides, integration in IPA probably won't happen without RBAC support in Fedora/RHEL, right ? -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, i...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors] ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
Dag Wieers wrote: On Thu, 14 Feb 2013, Rob Crittenden wrote: Sigbjorn Lie wrote: On 02/13/2013 04:10 PM, Rob Crittenden wrote: Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solaris ? (We noticed that RBAC mentioned in the IPA web interface only relates toIPA management). No, IPA doesn't support RBAC on Solaris. I've come across the same issue. This is just a matter of extending the schema. Would there be any interest for adding the Solaris RBAC schema as a part of the standard IPA distributed LDAP schemas? Is the schema enough? Won't people want a way from IPA to manage the data too? Of course, integration in IPA is better, but having the schema integrated is a good first step. Besides, integration in IPA probably won't happen without RBAC support in Fedora/RHEL, right ? Right, and it is a bit beyond our scope to create a compatible RBAC solution. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
Dag Wieers wrote: Hi, We are investigating whether IPA is an acceptable solution for our environment. One of the aspects that is not clear (from reading the documentation and testing it without AD) is whether the synchronization with AD can be limited to a subset. Since we would like to only synchronize certain user-accounts (conforming to a specific format) from AD unidirectionally, and we also want to manage functional/technical accounts on IPA, we need to make sure that we: - can filter the stuff we pull from AD You can set the subtree to use, I'm not sure if you can supply a filter to the winsync agreement. Rich? - can avoid the synchronisation to remove other accounts managed in IPA I don't understand the question. You don't want the winsync agreement to affect IPA-specific users? That works. Can someone confirm that this is possible ? Is there any indepth information on how this AD sycnhronization works (preferably about RHEL6 IPA) ? Not beyond what is in the 389-ds-base and IPA documentation. There might be some additional information on the 389-ds wiki. Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solaris ? (We noticed that RBAC mentioned in the IPA web interface only relates to IPA management). No, IPA doesn't support RBAC on Solaris. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
On 02/13/2013 08:10 AM, Rob Crittenden wrote: Dag Wieers wrote: Hi, We are investigating whether IPA is an acceptable solution for our environment. One of the aspects that is not clear (from reading the documentation and testing it without AD) is whether the synchronization with AD can be limited to a subset. Since we would like to only synchronize certain user-accounts (conforming to a specific format) from AD unidirectionally, and we also want to manage functional/technical accounts on IPA, we need to make sure that we: - can filter the stuff we pull from AD You can set the subtree to use, I'm not sure if you can supply a filter to the winsync agreement. Rich? No, this is an RFE This trac report gives a pretty good idea of the limitations of 389 winsync: https://fedorahosted.org/389/query?component=Sync+Servicestatus=acceptedstatus=assignedstatus=newstatus=reopenedcol=idcol=summarycol=statuscol=typecol=prioritycol=milestonecol=componentorder=priorityreport=16 see especially https://fedorahosted.org/389/ticket/178 https://fedorahosted.org/389/ticket/460 - can avoid the synchronisation to remove other accounts managed in IPA I don't understand the question. You don't want the winsync agreement to affect IPA-specific users? That works. Can someone confirm that this is possible ? Is there any indepth information on how this AD sycnhronization works (preferably about RHEL6 IPA) ? Not beyond what is in the 389-ds-base and IPA documentation. There might be some additional information on the 389-ds wiki. What would you like to know? Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solaris ? (We noticed that RBAC mentioned in the IPA web interface only relates to IPA management). No, IPA doesn't support RBAC on Solaris. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
Hi, You can specify a --winsubtree, provided all the users you want are in that, I think that will work. For filters, Ive suggested that, we have so much garbage in our AD that its cluttering IPA badly. eg we have hundred templates, so I'd like to block those from being transferred. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dag Wieers [d...@wieers.com] Sent: Thursday, 14 February 2013 3:58 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC Hi, We are investigating whether IPA is an acceptable solution for our environment. One of the aspects that is not clear (from reading the documentation and testing it without AD) is whether the synchronization with AD can be limited to a subset. Since we would like to only synchronize certain user-accounts (conforming to a specific format) from AD unidirectionally, and we also want to manage functional/technical accounts on IPA, we need to make sure that we: - can filter the stuff we pull from AD - can avoid the synchronisation to remove other accounts managed in IPA Can someone confirm that this is possible ? Is there any indepth information on how this AD sycnhronization works (preferably about RHEL6 IPA) ? Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solaris ? (We noticed that RBAC mentioned in the IPA web interface only relates to IPA management). Thanks in advance, -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, i...@dagit.net, http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors] ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
On 02/13/2013 09:58 AM, Dag Wieers wrote: Hi, We are investigating whether IPA is an acceptable solution for our environment. One of the aspects that is not clear (from reading the documentation and testing it without AD) is whether the synchronization with AD can be limited to a subset. Since we would like to only synchronize certain user-accounts (conforming to a specific format) from AD unidirectionally, and we also want to manage functional/technical accounts on IPA, we need to make sure that we: - can filter the stuff we pull from AD - can avoid the synchronisation to remove other accounts managed in IPA Can someone confirm that this is possible ? Is there any indepth information on how this AD sycnhronization works (preferably about RHEL6 IPA) ? Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solaris ? (We noticed that RBAC mentioned in the IPA web interface only relates to IPA management). Thanks in advance, If you are planning to use latest bits from upstream you also can consider using trusts and PAM passthough instead of password synchronization. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC
Hi, However trusts open a whole nest of vipers... The advantage of using winsync is you can control what happens in IPA, so if AD say gets hacked anything in IPA probably will survive. The reverse is of course also true ;] regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Thursday, 14 February 2013 11:24 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC On 02/13/2013 09:58 AM, Dag Wieers wrote: Hi, We are investigating whether IPA is an acceptable solution for our environment. One of the aspects that is not clear (from reading the documentation and testing it without AD) is whether the synchronization with AD can be limited to a subset. Since we would like to only synchronize certain user-accounts (conforming to a specific format) from AD unidirectionally, and we also want to manage functional/technical accounts on IPA, we need to make sure that we: - can filter the stuff we pull from AD - can avoid the synchronisation to remove other accounts managed in IPA Can someone confirm that this is possible ? Is there any indepth information on how this AD sycnhronization works (preferably about RHEL6 IPA) ? Also since we also require compatibility with Solaris, and roles (RBAC) is currently used on Solaris, does IPA support RBAC on Solaris ? (We noticed that RBAC mentioned in the IPA web interface only relates to IPA management). Thanks in advance, If you are planning to use latest bits from upstream you also can consider using trusts and PAM passthough instead of password synchronization. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users