On Thu, 10 Jul 2014, Stephen Gallagher wrote:
John, this would actually be a rather interesting idea, but I agree with Dmitri: if this is the level of control that you need, you would be in a far better position with FreeIPA/Red Hat Identity Management. It has this concept baked into its Host-Based Access Control mechanism (which SSSD fully supports). The problem with trying to do this in plain LDAP is that there exists no standard mechanism for maintaining this sort of information on the LDAP server (FreeIPA's HBAC rules are kind of a de-facto standard).
By adding a group to AD per machine with suitable members, and using simple to restrict access to that group, are you not in the same place, albeit with an extra object in LDAP? jh _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
