On Thu, 2 Sep 2010 16:26:26 -0700
Brian LaMere <br...@cukerinteractive.com> wrote:

> >
> > 389 access control is pretty powerful and flexible.  There's
> > usually a way to do what you want to do without having to resort to
> > using subtrees (as in AD).
> >
> > http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Managing_Access_Control.html
> >
> >
> aye - I already have everything on that side of the house working
> perfectly, in exactly the way I want it.  However, part of how I have
> that is based on ACIs attached to specific ou units.  So if it could
> probably be made to work without resorting to ACIs for individual
> OUs, then...ok.  I want PMs to be able to make people that are
> customers, but not people who are People (that sounds horrible, but
> you know what I mean...heh).  That's just one of example of many,
> including batch processes that make changes to specific ou units
> reserved for the activities of those processes.
> Perhaps I'll just install FreeIPA and see, then.

for non user/group/host objects you fully own and control you can use
whatever directory structure you want as long as you do not put them
under the cn=accounts subtree and keep them generally away from any IPA
controlled subtree.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to