[Freeipa-users] Permit non-admin users to add user accounts
Rob Crittenden
rcritten at redhat.com
Mon May 11 13:58:13 UTC 2009
Daniel Scott wrote:
> Hi,
>
> Wow, that was an amazingly detailed and fast reply, thanks.
>
> 2009/5/7 Rob Crittenden <rcritten at redhat.com>:
>> Yes, by default this is not possible to do in v1 and is planned for v2.
>>
>> It would be pretty hairy to manually do this in v1 but it would be possible.
>> It would involve creating a couple of DS ACIs and creating a group to grant
>> the access to.
>>
>> Something like this ACI would grant creating IPA users (where $SUFFIX is
>> something like dc=mit,dc=edu):
>>
>> aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
>> 3.0;acl "Add Users";allow (add) groupdn =
>> "ldap:///cn=addusers,cn=groups,cn=accounts,$SUFFIX";)
>>
>> Then create an addusers group and you can add users/groups to that.
>
> I'll look into ACIs a little more - it looks like the one you provided
> will do fine. If I'm understanding it correctly, that would permit
> members of the 'addusers' group to add general users? They wouldn't be
> forced into a particular group? I guess I would need a rule similar to
> that which adds all users into the 'ipausers' group to automatically
> put them into my chosen group.
Right, members of addusers can create new users. The users they create
would be standalone, essentially. The addusers group only grants access
to write the user entry, not anything else.
For adding a user to a groupo automatically you wouldn't do this with an
ACI. IPA defines a "default group for users." There is currently only
one group though. You'd have to manually add users to other groups now
if you want to automatically add some new users to group A and others to
group B.
In order to be able to add a user to a group you need to grant write
access on the member attribute of the group.
>
>> Of course once you open this can of worms things get interesting because
>> then you'll want to delete and modify users, and then groups, and...
>
> Sure. Thankfully, we don't imagine that deletions will happen very
> often, so we can get a full admin to do that. I've used the
> 'delegation' part of the freeipa control panel to create a group which
> can modify users in another group. This seems to work fine. Are there
> any problems with this that you know of.
>
> Thanks for the other information related to version 2, very
> interesting. And thanks again for the detailed reply.
>
> Initially, we think this will be pretty low volume, so full admins can
> handle a lot of stuff. We just want to be prepared incase the volume
> increases.
>
> Thanks,
>
> Dan
Glad this helped.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090511/1f3fdd2b/attachment.bin>
More information about the Freeipa-users
mailing list