[Freeipa-users] User admins for different groups

Petr Spacek pspacek at redhat.com
Tue Mar 26 15:04:37 UTC 2013 

On 26.3.2013 15:10, Rob Crittenden wrote:
> Philipp Richter wrote:
>> On 03/26/2013 12:39 AM, Dmitri Pal wrote:
>>
>>>> I am trying to do the following:
>>>>
>>>> We have some branch offices at different locations. We want to use
>>>> one ipa-server with replicas in each branch office. Each branch
>>>> office should have it's own set of administrators who should be able
>>>> to create/modify/delete users for its own branch but should not be
>>>> allowed to change users from other branches.
>>>> every member of admin-at should be forced to create/modify/delete
>>>> only users in branch-at. The same applies for admin-us/branch-us.
>>>>
>>>> at first, i thought of a combination of (a) new role(s), with
>>>> write/delete permissions set for the branch-at group, as well as an
>>>> automember rule but it seems there is no way to filter for the
>>>> creator of an entry, which would be needed for the group membership..
>>>>
>>>> am i missing anything?
>>  >
>>> This might help
>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#delegating-users
>>>
>>>
>>
>> Yes, I read the whole document but as far as I understand delegates are
>> only helpful for editing existing records. I want admins of one branch
>> to be able the also create users, but only in the assigned branch.
>>
>> Currently we use standard openldap with different ou's for the branches.
>> Each branch admin has full ldap permissions for it's own ou-subtree.
>>
>
> IPA uses a flat DIT so here is no way to control adding users in a given
> branch office.
>
> The most you'd be able to do is delegae management (delete/modify) a subset of
> users who are members of a group that represents that branch office. Any new
> users added would need to be added to the appropriate branch group by the
> admin adding them.

This sounds like big deficiency to me...
Is it possible to hack automember plugin to enforce some group assignment 
based on creator's group/name as proposed above? It should allow users to 
prepare some hand crafted ACIs, I guess.

(Sorry, I don't have any knowledge about automember internals :-)

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list