On 07/11/2013 05:54 PM, KodaK wrote: > > > On Thu, Jul 11, 2013 at 4:42 PM, Dmitri Pal <[email protected] > <mailto:[email protected]>> wrote: > > Well it is something like this that I had in mind. But you have > beaten me... > Great to see you found an acceptable solution. > > > Acceptable is a strong word. Maybe "passable" or Microsoft-style "it > works, ship it." :) > > Out of curiosity, what were your thoughts on a solution for us? Did > it differ significantly > from what I'm doing? (I'm always on the lookout for a better way.)
What you need is who can access a specific AIX machine, right? You have several sets of AIX machines, say 5, each of which has an HBAC rule that relates a group of users X to a group of AIX machine with the same set of users. If you have non overlapping host groups you can fetch users with one LDAP search from the puppet master. I am not good with ldap syntax but SQL natural for me so conceptually the search would look like this: SELECT group.member FROM group JOIN hbac on group-DN JOIN host group on hostgroup-DN WHERE hostgroup.member contains host X. I hope it conveys what I have in mind. The result of such search would be a list of group members that have access to the host. This is pretty close to what you have done except it covers nested groups too and uses HBAC rules. > > Also, what's PWT mail? Private. I made a typo. It should have been V :-) > I assume some sort of encrypted or private mail, but I'm not > familiar with the acronym. > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
