Simo Sorce via FreeIPA-users wrote: > On Wed, 2017-11-29 at 09:26 -0500, Rob Morin via FreeIPA-users wrote: >> Ok so I will Initially create the account. So far my tests went ok, this >> special user can change the users group and password , ONLY if they are >> in the group sftponly. So that's ok. But I cannot seem to figure out how >> to give Fred permission to be able to disable and enable a user in the >> sftponly group group. Is this possible? > > Not with standard permissions, but perhaps adding an explicit ACI on > the sftponly group to allow Fred to change the "member" attribute would > work ... > > You need to test this as Fred may then lack the permission to change > the memberof attribute (automatically done by the system) on the users, > so this may cause the whole operation to fail anyway.
I think current permissions support a targetfilter so you might be able to use that, something like: targetfilter = "(memberOf=cn=sftp,cn=groups,cn=accounts,dc=example,dc=com)" I forget the syntax for specifying the targetfilter but this will hopefully point you in the right direction. rob > > Simo. > >> Rob Morin >> Systems/Network Administrator >> Hardent Inc. >> >> On 11/28/2017 11:13 AM, Rob Crittenden wrote: >>> Rob Morin via FreeIPA-users wrote: >>>> Hello all... >>>> >>>> I was wondering if someone could help me out, is it possible to have a >>>> user administer only one host/server. Meaning they would log on to >>>> freeipa gui and be able to change a password or lock and account for one >>>> host only. In our case our sftp server where someone else wants to >>>> administer it, when i am not around, like add a user and so on. >>>> >>>> Is this possible? >>> >>> User accounts can't be created or locked per-host because they are >>> centralized. >>> >>> rob >> >> _______________________________________________ >> FreeIPA-users mailing list -- email@example.com >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org