On 07/10/2014 08:11 AM, John Hodrien wrote:
On Thu, 10 Jul 2014, Stephen Gallagher wrote:
John, this would actually be a rather interesting idea, but I agree
with Dmitri: if this is the level of control that you need, you would
be in a far better position with FreeIPA/Red Hat Identity Management.
It has this concept baked into its Host-Based Access Control mechanism
(which SSSD fully supports). The problem with trying to do this in
plain LDAP is that there exists no standard mechanism for maintaining
this sort of information on the LDAP server (FreeIPA's HBAC rules are
kind of a de-facto standard).
By adding a group to AD per machine with suitable members, and using
simple to
restrict access to that group, are you not in the same place, albeit
with an
extra object in LDAP?
No. HBAC is much more flexible. At uses groups of systems and groups of
users so you have to create and maintain much less objects.
But in previous email you said OpenLDAP now you say AD. I am confused.
jh
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
