Please keep freeipa-users in CC


On 08.08.2016 11:22, Deepak Dimri wrote:
Thanks Martin,

Don't i need to create subdomain for each team and then register the hosts under that domain and finally assign HBAC?

HBAC rule is per host/hostgroup and it is unrelated to domain. Read doc there should be everything :)

Martin





Regards,
Deepak



------------------------------------------------------------------------
Subject: Re: [Freeipa-users] Delegated Administration in IPA
To: deepak_di...@hotmail.com; freeipa-users@redhat.com
From: mba...@redhat.com
Date: Mon, 8 Aug 2016 10:41:59 +0200




On 08.08.2016 10:03, Deepak Dimri wrote:

    Hi List,

    I want some help here! i have 100 of linux servers and ec2
    instances  used by various teams/departments.   I want to have
    group wise  clubbing of these servers so that i can delegate
    administration access to manager of  that particular group. For
    example lets say out of those 100 servers, 25 servers belongs to
    engineering team so i want to register these 25 servers under
    engineering group/domain and then assign the full administration
    access to engineering manager to manage these 25 servers and there
    accesses.

    I am getting a sense that we can create DNS subdomains for each
    team i.e. engineering.<ipa server domain name> and then register
    those 25 servers under engineering.<ipa server domain name> but
    then i am not sure how i can assign the access and do rest of the
    configurations.

    I would be thankfully if any of you can provide with configuration
    steps to help me

    Thanks,
    Deepak



Hello,

I think you need HBAC https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/configuring-host-access.html

You need add servers to particular hostgroups, and create HBAC rules according the doc ^^^

Martin




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to