On 07/10/2014 08:11 AM, John Hodrien wrote:
On Thu, 10 Jul 2014, Stephen Gallagher wrote:
> John, this would actually be a rather interesting idea, but I agree
> with Dmitri: if this is the level of control that you need, you would
> be in a far better position with FreeIPA/Red Hat Identity Management.
> It has this concept baked into its Host-Based Access Control mechanism
> (which SSSD fully supports). The problem with trying to do this in
> plain LDAP is that there exists no standard mechanism for maintaining
> this sort of information on the LDAP server (FreeIPA's HBAC rules are
> kind of a de-facto standard).
By adding a group to AD per machine with suitable members, and using
simple to
restrict access to that group, are you not in the same place, albeit
with an
extra object in LDAP?
No. HBAC is much more flexible. At uses groups of systems and groups of
users so you have to create and maintain much less objects.
But in previous email you said OpenLDAP now you say AD. I am confused.
jh
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.