On 03/26/2013 12:39 AM, Dmitri Pal wrote:
I am trying to do the following:
We have some branch offices at different locations. We want to use one
ipa-server with replicas in each branch office. Each branch office should have
it's own set of administrators who should be able to create/modify/delete users
for its own branch but should not be allowed to change users from other
every member of admin-at should be forced to create/modify/delete only users in
branch-at. The same applies for admin-us/branch-us.
at first, i thought of a combination of (a) new role(s), with write/delete
permissions set for the branch-at group, as well as an automember rule but it
seems there is no way to filter for the creator of an entry, which would be
needed for the group membership..
am i missing anything?
This might help
Yes, I read the whole document but as far as I understand delegates are
only helpful for editing existing records. I want admins of one branch
to be able the also create users, but only in the assigned branch.
Currently we use standard openldap with different ou's for the branches.
Each branch admin has full ldap permissions for it's own ou-subtree.
: Philipp Richter
: LINBIT | Your Way to High Availability
: Tel: +43-1-8178292-51, Fax: +43-1-8178292-82
DRBD® and LINBIT® are registered trademarks of LINBIT, Austria.
Freeipa-users mailing list