On Tue, Feb 22, 2022 at 9:54 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote: > I don't think there's any way in IPA to require otp as a requirement for > group membership currently. (Please let me know if there is). > Which would leave us checking after the fact and removing people without > one set, which is a big pile of hassle. :( Well, should such a policy be enacted, there is the one time check for existing packagers, and then just one more step to check box to check for those that are requesting to be added to the packager group. Not ideal, but I would expect doable (unless there is a lot more churn in the packager group than I am aware of). > Enforcing otp per group also would require dev work from what I > understand. :( Probably. Although the requirement to enforce the most restrictive requirement(s) on a user that any group requires that the user is a member of is something that is certainly desirable of better implementations (and if a group later is changed to have higher requirements, users that do not conform would need to be addressed (removal from group entirely, not getting the group authorizations, something....). _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
