We have a requirement to segregate different types of users, including customers, administrators, clients, and infrastructure hosts, into separate realms or unique IPA installations. While this is potentially feasible through the Trust feature, considering its ongoing development state, we're looking for alternative solutions. (see pic https://imgur.com/a/uqtbjly)
Our objectives are: 1) Admin users within the ADMIN.NOVALOCAL realm should secure sudo access to hosts within the realms of CUSTOMER1.NOVALOCAL and CUSTOMER2.NOVALOCAL. 2) Admin users should also possess the capability to manage IPA entities within both customer installations of FreeIPA. We possess a rudimentary understanding of how to tackle the second objective. However, for the first one, our strategy is less clear. One available method is to instantiate hosts with a custom PAM configuration and administer access to administrators via the pam_ldap module. But we are also open to better suggestions if anyone can put forward. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
