Ok great thanks I will give it a shot and get back to you.

Have a great day!

Rob Morin
Systems/Network Administrator
Hardent Inc.

On 11/29/2017 10:21 AM, Rob Crittenden wrote:
Simo Sorce via FreeIPA-users wrote:
On Wed, 2017-11-29 at 09:26 -0500, Rob Morin via FreeIPA-users wrote:
Ok so I will Initially create the account. So far my tests went ok, this
special user can change the users group and password , ONLY if they are
in the group sftponly. So that's ok. But I cannot seem to figure out how
to give Fred permission to be able to disable and enable a user in the
sftponly group group. Is this possible?
Not with standard permissions, but perhaps adding an explicit ACI on
the sftponly group to allow Fred to change the "member" attribute would
work ...

You need to test this as Fred may then lack the permission to change
the memberof attribute (automatically done by the system) on the users,
so this may cause the whole operation to fail anyway.
I think current permissions support a targetfilter so you might be able
to use that, something like:

targetfilter = "(memberOf=cn=sftp,cn=groups,cn=accounts,dc=example,dc=com)"

I forget the syntax for specifying the targetfilter but this will
hopefully point you in the right direction.

rob
Simo.

Rob Morin
Systems/Network Administrator
Hardent Inc.

On 11/28/2017 11:13 AM, Rob Crittenden wrote:
Rob Morin via FreeIPA-users wrote:
Hello all...

I was wondering if someone could help me out, is it possible to have a
user administer only one host/server. Meaning they would log on to
freeipa gui and be able to change a password or lock and account for one
host only. In our case our sftp server where someone else wants to
administer it, when i am not around, like add a user and so on.

Is this possible?
User accounts can't be created or locked per-host because they are
centralized.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to