[Freeipa-users] Permit non-admin users to add user accounts

Thu May 7 19:28:55 UTC 2009

Daniel Scott wrote:
> Hi,
> 
> I would like to have the following permission system:
> 
> Group: managers (Full admin of users group)
> Group: users (Group for general users)
> 
> The managers group should have essentially full control of the users
> group. I've enable most functionality through a delegation, but there
> doesn't appear to be a facility to allow non-admins to add user
> accounts. I would like the managers group to be able to add users to
> the system, without the managers being in the admins group. Managers
> would then be able to add those users to the users group.
> 
> Is this possible? I have found no documentation on this. The existing
> documentation implies that users adding other users are admins, but I
> cannot give managers admin access. Looking through the documentation
> that I have found, it seems like I may have to wait until version 2 -
> can anyone comment on this?

Yes, by default this is not possible to do in v1 and is planned for v2.

It would be pretty hairy to manually do this in v1 but it would be 
possible. It would involve creating a couple of DS ACIs and creating a 
group to grant the access to.

Something like this ACI would grant creating IPA users (where $SUFFIX is 
something like dc=mit,dc=edu):

aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
   3.0;acl "Add Users";allow (add) groupdn = 
"ldap:///cn=addusers,cn=groups,cn=accounts,$SUFFIX";)

Then create an addusers group and you can add users/groups to that.

Of course once you open this can of worms things get interesting because 
then you'll want to delete and modify users, and then groups, and...

Well, you can see how it gets hairy fast.

You'll find that this ACI alone isn't enough to actually work with the 
IPA tools because you also need modify write access on the member 
attribute of groups and write access on the password attributes of users 
because of the way we add users. We do it in 3 steps:

1. Create the user entry
2. Add the user to the default IPA users group
3. Set the password

And so it goes.

To get an idea of what we're planning for v2 you can look at
http://git.fedorahosted.org/git/freeipa.git/?p=freeipa.git;a=blob_plain;f=install/updates/40-delegation.update;hb=HEAD

The idea is to create ACIs which grant some permission to a task. This 
task is in the form of an LDAP group (so we call it a taskgroup).

A taskgroup generally but not always maps 1-1 to an ACI. A taskgroup 
should represent a single operation.

On top of this we have rolegroups. A rolegroup will be something like 
"Helpdesk". You might assign the task "change password" to the helpdesk 
rolegroup.

Or you could have a "user admin" rolegroup. You might assign the add and 
  update user tasks to that rolegroup (for the sake of argument we don't 
trust them with deleting users).

Rolegroups can be members of other rolegroups and be a member of 
multiple taskgroups.

As it stands today we probably aren't going to provide any tools to 
create tasks. You'll be able to create rolegroups to determine who can 
do what but if we don't provide some specific task you need you'll be 
back to writing ACIs by hand. The reason being that doing so requires a 
fairly detailed knowledge of the DIT and the relationships between objects.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090507/ca75b854/attachment.bin>