Hi all,
I am in the beginning stages of researching moving from NIS to FreeIPA. I am running through the workshop on the FreeIPA github, and am having difficulty understanding the difference between categories and groups.
For example, I have one HBAC rule that came pre-defined on my FreeIPA server for "allow_systemd-user" that says it applies for user category and host category of "all". But then the workshop has me add an HBAC rule to allow a user to access a specific host by adding user and host groups, not categories.
I'm sure there is a simple difference between the two, but I am not having much luck finding these concepts explained anywhere in the documentation. Can you point me towards where I can find this?
Thank you!
Russell Jones via FreeIPA-users wrote:
Hi all,
I am in the beginning stages of researching moving from NIS to FreeIPA. I am running through the workshop on the FreeIPA github, and am having difficulty understanding the difference between categories and groups.
For example, I have one HBAC rule that came pre-defined on my FreeIPA server for "allow_systemd-user" that says it applies for user category and host category of "all". But then the workshop has me add an HBAC rule to allow a user to access a specific host by adding user and host groups, not categories.
I'm sure there is a simple difference between the two, but I am not having much luck finding these concepts explained anywhere in the documentation. Can you point me towards where I can find this?
We wanted an easy way to apply rules to all entries of users or hosts. We could have just added a special option for that but at the time we figured that eventually other use cases like this would pop up so we created a category option with just one choice: all. We never did come up with another use case.
The alternative would be to create a hostgroup or user group that contained all entries and that could become overwhelming. So it is basically a shortcut.
rob
That makes sense. Thank you!
On Wed, Oct 9, 2019 at 1:02 PM Rob Crittenden rcritten@redhat.com wrote:
Russell Jones via FreeIPA-users wrote:
Hi all,
I am in the beginning stages of researching moving from NIS to FreeIPA. I am running through the workshop on the FreeIPA github, and am having difficulty understanding the difference between categories and groups.
For example, I have one HBAC rule that came pre-defined on my FreeIPA server for "allow_systemd-user" that says it applies for user category and host category of "all". But then the workshop has me add an HBAC rule to allow a user to access a specific host by adding user and host groups, not categories.
I'm sure there is a simple difference between the two, but I am not having much luck finding these concepts explained anywhere in the documentation. Can you point me towards where I can find this?
We wanted an easy way to apply rules to all entries of users or hosts. We could have just added a special option for that but at the time we figured that eventually other use cases like this would pop up so we created a category option with just one choice: all. We never did come up with another use case.
The alternative would be to create a hostgroup or user group that contained all entries and that could become overwhelming. So it is basically a shortcut.
rob
freeipa-users@lists.fedorahosted.org