On ke, 28 kesä 2017, Howard Johnson wrote:
Cheers for the feedback.
On 2017-06-28 12:14, Alexander Bokovoy wrote:
We are going to introduce a special type of groups where membership
reading would be limited to some conditions but this would not be
relevant to HBAC, at least from my current understanding of the
situation. This is to support organizational groups, not host-based
access rights.
I guess at worst for this we might need a new set of
role/privilege/permission that would allow viewing of all memberOf
attributes.
Correct. Though the way how HBAC rules are evaluated right now by SSSD
assumes we are dealing with POSIX users/groups there, so a subject of
the HBAC check is a user with POSIX group membership. This membership
information is already flattened so that intermediate non-POSIX group
membership is not there anymore because POSIX groups are
non-hierarchical. Given that we would specifically target those
organizational groups for non-POSIX use, I don't think we lose anything
here.
--
/ Alexander Bokovoy
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
