Simo Sorce via FreeIPA-users wrote:
> On Wed, 2017-11-29 at 09:26 -0500, Rob Morin via FreeIPA-users wrote:
>> Ok so I will Initially create the account. So far my tests went ok, this 
>> special user can change the users group and password , ONLY if they are 
>> in the group sftponly. So that's ok. But I cannot seem to figure out how 
>> to give Fred permission to be able to disable and enable a user in the 
>> sftponly group group. Is this possible?
> Not with standard permissions, but perhaps adding an explicit ACI on
> the sftponly group to allow Fred to change the "member" attribute would
> work ...
> You need to test this as Fred may then lack the permission to change
> the memberof attribute (automatically done by the system) on the users,
> so this may cause the whole operation to fail anyway.

I think current permissions support a targetfilter so you might be able
to use that, something like:

targetfilter = "(memberOf=cn=sftp,cn=groups,cn=accounts,dc=example,dc=com)"

I forget the syntax for specifying the targetfilter but this will
hopefully point you in the right direction.

> Simo.
>> Rob Morin
>> Systems/Network Administrator
>> Hardent Inc.
>> On 11/28/2017 11:13 AM, Rob Crittenden wrote:
>>> Rob Morin via FreeIPA-users wrote:
>>>> Hello all...
>>>> I was wondering if someone could help me out, is it possible to have a
>>>> user administer only one host/server. Meaning they would log on to
>>>> freeipa gui and be able to change a password or lock and account for one
>>>> host only. In our case our sftp server where someone else wants to
>>>> administer it, when i am not around, like add a user and so on.
>>>> Is this possible?
>>> User accounts can't be created or locked per-host because they are
>>> centralized.
>>> rob
>> _______________________________________________
>> FreeIPA-users mailing list --
>> To unsubscribe send an email to
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to