On to, 19 loka 2017, Chris Dagdigian via FreeIPA-users wrote:


Hi folks,

We have an absurdly complex multi-domain/multi-child AD forrest tied together on AWS via FreeIPA.

I'm spending a lot of time debugging login issues and the "ipa hbactest" command is fantastic at "proving" out if something should or should not work.

I currently "kinit admin" before running these commands but would like to be able to pass this 'power' on to other people, including project managers and other folks that I would not trust with direct IPA privileges that would let them accidentally do dangerous things :)

Has anyone set up an IPA user with read-only access or otherwise set up a locked down role so that a user can only run "ipa hbactest ..." type commands? Looking for sensible tips and guidance on spreading some IPA powers around to people that I would not normally want having higher level privileges.
Look at
https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/ for
inspiration and potential issues to deal with.

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to