It Meme wrote:
Assumption: Accounts have been provisioned in IPA.
Can the IPA provisioned accounts be subsequently managed by LDAP calls
from an external system? Examples: password update, group membership.
Password update via LDAP: yes
Group membership is just properly adding a member attribute with the DN
of the member into the right location, so yeah. This may depend on the
access rights of the user doing the change. Note that this is
potentially dangerous. For example, our management framework prevents
the last user from being removed from the admins group. If you do this
via LDAP you lose that protection.
Freeipa-users mailing list