On Wed, 2022-12-21 at 09:59 +0200, Alexander Bokovoy via FreeIPA-users wrote:
[snip] That was all excellent info. Thank you. > Now, if you have no people at your organization to implement a plugin > to > provide an integrated solution, you can write down the logic you need > to > create all additional rules in ansible-freeipa playbooks. This gives > a > better way to preserve the logic for administrators and run these > playbooks whenever you need to add a new user. This would be a part > of > the life-cycle management flow which typically includes a lot of > other > operations, often beyond FreeIPA itself. Yes, I can do what I want via ansible so for the immediate future, that is the route I'll take. > You do realize that in order to use SUDO to limit access on the > machine > itself, you would need to create SUDO rules anyway, do you? It > doesn't > matter where they exist, locally or centrally in IPA, the rules would > need to exist and be maintained. A move of responsibility between who > owns the rules and who creates/removes them does not change the fact > that SUDO requires rules to exist to apply. Yes, of course. My end state is to do as much as possible with the fewest interactions between human and machine required to achieve that end state. But, that depends on skill level and knowledge. lol I'll do the best I can with what I know without getting mired in learning python and reading the freeipa source code. Thanks again for the detailed reply. -- Ranbir _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
