John Moyer wrote:
I am trying to reduce the rights to an account so that it can only add
and remove machines from the IPA server. It will be used for scripts to
run as this user to bind machines that are stood up adhoc to the IPA
server, and then clean them up after they are ready for shutdown.
However, I don't want users that are allowed this access to be able to
do much else (like remove my account or any of my engineers accounts).
I was wondering if anyone had any words of wisdom on how to do this
before I started doing guess and check research (since a few google
search have yielded nothing).
See the "Host Enrollment" privilege.
Add that to a role (maybe a new one), add a group of the users you want
to be able to do this to the role, and that should be it.
Freeipa-users mailing list