[Freeipa-users] Trying to get my head around Delegating admin permissions and groups
Rob Crittenden
rcritten at redhat.com
Tue Mar 27 22:09:19 UTC 2012
Steven Jones wrote:
> Hi,
>
> I want to have 2 trees of user (and, or? host?) groups, one server branch and one desktop as the desktop admins differ from the server admins and have to be kept separate......so that seems to be a high level thing....
>
> So reading the delegation section its unclear if I am in the right place or what permission to give....so for a top level admin I give the manager attribute? to the top group or simply all? or what? looking down the attributes I see things like "cn" so I see nothing that helps me understand.....yep Im lost.....
>
> What I need to do is give the desktop admins control over desktops and desktop users but not any over servers and server users and the the server admins the opposite.
>
> There are also going to be at least two password policies, one for staff and one for students. After a bit I will have passync from AD for staff so that policy needs to be disabled...also the requirement to reset their password on first login as that's done via AD
>
> So is the best way to make a top level group for each of the two trees, delegate this to each admin branch (manager?) to that? and then under that have two groups where I attach each of the password policies? seems logical, but who knows....
>
> Say a group labeled 1 is the top for the server tree with 2 under it for staff server passwords and 3 for student server passwords.
>
> Say a group labeled A is the top for the desktop tree with B under it for staff server passwords and C for student server passwords...
>
> hope my asci art works....
>
> 2
> 1<
> 3
>
> b
> a<
> c
>
> So a staff password policy is attached to 2 and B and a student password policy is attached to 3 and C?
>
> :/
>
> Is this clear?
>
> The next Q is doing the nesting, I get confused on which way it goes........1 goes into group 2 and 3 while a goes into b and c?
>
> That way 1 has "control over" 2 and 3? which is what I want....
>
> or do 2 and 3 go into 1? cant see taht as 2 and 3 would have the same level as 1?
>
> I then have to repeat something similar for the hosts/clients?
IPA has a flat DIT, so all users are stored together, all groups, etc.
You cannot use the IPA tools to manage users stored elsewhere in the tree.
You can grant permissions via groups and hostgroups, I think that will
do what you need.
You'll need to craft a series of permissions granting access to modify
attributes of members of a group. Then create privileges and roles and
assign membership as necessary.
So for example you create a couple of groups: DesktopAdmins and
DesktopUsers.
Assign users as appropriate. It is ok for users to be members of both.
Here is how it might look. I'm just creating a permission to modify a
few attributes of a class of users but it should point you in the right
direction.
Create our groups
$ ipa group-add desktopusers --desc='Desktop users'
$ ipa group-add desktopadmins --desc='Desktop admins'
Create a permission to write some user attributes
$ ipa permission-add 'Manage desktop users' --memberof=desktopusers
--attrs='givenname,sn,telephonenumber' --type=user --permissions=write
Create some sample users (yes, one extra user)
$ echo password | ipa user-add --first=tim --last=user duser1 --password
$ echo password | ipa user-add --first=tim --last=user dadmin1 --password
$ echo password | ipa user-add --first=tim --last=user tuser1 --password
Assign members to groups
$ ipa group-add-member --users=duser1 desktopusers
$ ipa group-add-member --users=dadmin1 desktopadmins
Create privilege and role
$ ipa privilege-add 'Desktop admins' --desc='Desktop admins'
$ ipa role-add 'Desktop admins' --desc='Desktop admins'
$ ipa privilege-add-permission --permissions='Manage desktop users'
'Desktop admins'
$ ipa role-add-privilege --privileges='Desktop admins' 'Desktop admins'
Now become a desktop admin and test
$ kinit dadmin1
$ ipa user-mod --first=Gary duser1
----------------------
Modified user "duser1"
----------------------
User login: duser1
First name: Gary
Last name: user
Home directory: /home/duser1
Login shell: /bin/sh
UID: 643800004
GID: 643800004
Account disabled: False
Password: True
Member of groups: ipausers, desktopusers
Kerberos keys available: True
$ ipa user-mod --first=Gary tuser1
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'givenName' attribute of entry
'uid=tuser1,cn=users,cn=accounts,dc=example,dc=com'.
You can see that it can manage the user we added to desktopusers but not
the other user.
Things you can't easily do are things like "Create a desktop user". You
can't easily do this because the group membership is assigned later.
regards
rob
More information about the Freeipa-users
mailing list