[Freeipa-users] Restrict user queries by OU or group

[Jeff Clay]

I seem to remember reading somewhere (although I can’t find it now) that you can’t manage organizational units in the IPA server. If that’s the case, how can I restrict the query results made by a particular user account? Can I restrict a user to only see others within the same group?

For example, if FIPA is my ldap backend for user accounts and I’m using a client that does contact lookups by AD I would only want contacts of a certain group or OU returned depending on the account performing the query. 

Traditionally, with ldap, this is easy to do since you can put all users within an OU and the service account performing the query is only allowed to query within that OU and the OU is usually set as the base for the search.