On Thu, 2 Sep 2010 16:26:26 -0700
Brian LaMere <br...@cukerinteractive.com> wrote:
> > 389 access control is pretty powerful and flexible. There's
> > usually a way to do what you want to do without having to resort to
> > using subtrees (as in AD).
> > http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Managing_Access_Control.html
> aye - I already have everything on that side of the house working
> perfectly, in exactly the way I want it. However, part of how I have
> that is based on ACIs attached to specific ou units. So if it could
> probably be made to work without resorting to ACIs for individual
> OUs, then...ok. I want PMs to be able to make people that are
> customers, but not people who are People (that sounds horrible, but
> you know what I mean...heh). That's just one of example of many,
> including batch processes that make changes to specific ou units
> reserved for the activities of those processes.
> Perhaps I'll just install FreeIPA and see, then.
for non user/group/host objects you fully own and control you can use
whatever directory structure you want as long as you do not put them
under the cn=accounts subtree and keep them generally away from any IPA
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list