[Freeipa-users] User admins for different groups
Philipp Richter
philipp.richter at linbit.com
Tue Mar 26 10:34:42 UTC 2013
On 03/26/2013 12:39 AM, Dmitri Pal wrote:
>> I am trying to do the following:
>>
>> We have some branch offices at different locations. We want to use one ipa-server with replicas in each branch office. Each branch office should have it's own set of administrators who should be able to create/modify/delete users for its own branch but should not be allowed to change users from other branches.
>> every member of admin-at should be forced to create/modify/delete only users in branch-at. The same applies for admin-us/branch-us.
>>
>> at first, i thought of a combination of (a) new role(s), with write/delete permissions set for the branch-at group, as well as an automember rule but it seems there is no way to filter for the creator of an entry, which would be needed for the group membership..
>>
>> am i missing anything?
>
> This might help
> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#delegating-users
Yes, I read the whole document but as far as I understand delegates are
only helpful for editing existing records. I want admins of one branch
to be able the also create users, but only in the assigned branch.
Currently we use standard openldap with different ou's for the branches.
Each branch admin has full ldap permissions for it's own ou-subtree.
--
: Philipp Richter
: LINBIT | Your Way to High Availability
: Tel: +43-1-8178292-51, Fax: +43-1-8178292-82
:
: http://www.linbit.com
DRBD® and LINBIT® are registered trademarks of LINBIT, Austria.
More information about the Freeipa-users
mailing list