0

We are thinking of using LDAP based Identity and Access Management setup with VMware vCloud and OpenStack Nova Compute VMs. VMware vCloud and OpenStack Nova Compute VMs are self-serve in that the end-users (non Admins) can create the VMs as needed.

Currently we have ldap_access_filter as ((memberOf=cn=System Adminstrators,ou=Groups,dc=example,dc=com)) that will allow access to a LINUX / UNIX machine to whoever is in that group.

Since the end-user is not part of this group, he/she is not able to login. We would like to automatically add the end-user who created the VM to the ldap_access_filter.

Also since we manage the Sudo Rules in LDAP, we would like the automatically create a Sudo Rule for that VM and the user to the Rule.

Any thoughts on how to best design this? Maybe we are over-thinking this, and there is a simpler solution.

The end-goal is that the end-user who creates the VM should have full access to that VM in addition to System Adminstrators LDAP Group.

Saqib Ali
  • 428
  • 2
  • 7
  • 21

1 Answers1

0

This is not really an IPA/SSSD question, but depends on how the users and machines are provisioned. Check out IDM's automember command, this might help.

jhrozek
  • 1,370
  • 6
  • 5
  • Jakub, I understand this is not a IPA/SSSD question, but I was looking for best practices. I am sure other large enterprises have self-serve private cloud as well with centralized Identity and Access Management. – Saqib Ali Oct 06 '16 at 13:55