I want to have 2 trees of user (and, or? host?) groups, one server branch and
one desktop as the desktop admins differ from the server admins and have to be
kept separate......so that seems to be a high level thing....
So reading the delegation section its unclear if I am in the right place or
what permission to give....so for a top level admin I give the manager
attribute? to the top group or simply all? or what? looking down the
attributes I see things like "cn" so I see nothing that helps me
understand.....yep Im lost.....
What I need to do is give the desktop admins control over desktops and desktop
users but not any over servers and server users and the the server admins the
There are also going to be at least two password policies, one for staff and
one for students. After a bit I will have passync from AD for staff so that
policy needs to be disabled...also the requirement to reset their password on
first login as that's done via AD
So is the best way to make a top level group for each of the two trees,
delegate this to each admin branch (manager?) to that? and then under that have
two groups where I attach each of the password policies? seems logical, but
Say a group labeled 1 is the top for the server tree with 2 under it for staff
server passwords and 3 for student server passwords.
Say a group labeled A is the top for the desktop tree with B under it for
staff server passwords and C for student server passwords...
hope my asci art works....
So a staff password policy is attached to 2 and B and a student password policy
is attached to 3 and C?
Is this clear?
The next Q is doing the nesting, I get confused on which way it goes........1
goes into group 2 and 3 while a goes into b and c?
That way 1 has "control over" 2 and 3? which is what I want....
or do 2 and 3 go into 1? cant see taht as 2 and 3 would have the same level as
I then have to repeat something similar for the hosts/clients?
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
Freeipa-users mailing list