On Tue, 2022-12-20 at 08:22 +0200, Alexander Bokovoy via FreeIPA-users wrote: > FreeIPA does not provide generation capabilities in itself. These > things > are specific to individual deployments and their logic is impossible > to > automate in a generic way without exposing some kind of a general > purpose language to express it. So we aren't going to implement this > when all you can do is to use ansible-freeipa to define your logic > and > actions already.
I don't understand why it would be so hard. I'll try to explain better how it might work. 1. 700 users get workstations 2. we put all users into a "workstation" user group 3. an HBAC rule "allow_workstation" is created for the "workstation" user group to login using the Services sshd, sudo, su, and su-l, as well as an HBAC Service Group called gnome 4. In the host records for each of the workstations, we select which user is the "admin" for that workstation. 5. IPA creates internally a Sudo rule for the user and workstation pair that gives that user "admin" control (i.e. all commands allowed as root/anyone) That's it. freeipa would be doing on its own and tracking internally what we would have to do anyway via ansible or the web UI. Nothing fancy or complicated. Why would this be difficult to support within freeipa? I apologize if this is a dumb question. :P Some background info: we have many hundreds of workstations we want to bring into our new IPA deployment and new ones are being added all of the time. I don't want to use local sudo rules and I also don't want to create sudo rules approaching 1000 in number. Both are dumb solutions, even with ansible. Please feel free to hammer my take on this! :) -- Ranbir _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
