[Freeipa-users] Permit non-admin users to add user accounts

[Daniel Scott]

Hi,

Wow, that was an amazingly detailed and fast reply, thanks.

2009/5/7 Rob Crittenden <rcritten at redhat.com>:
> Yes, by default this is not possible to do in v1 and is planned for v2.
>
> It would be pretty hairy to manually do this in v1 but it would be possible.
> It would involve creating a couple of DS ACIs and creating a group to grant
> the access to.
>
> Something like this ACI would grant creating IPA users (where $SUFFIX is
> something like dc=mit,dc=edu):
>
> aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version
>  3.0;acl "Add Users";allow (add) groupdn =
> "ldap:///cn=addusers,cn=groups,cn=accounts,$SUFFIX";)
>
> Then create an addusers group and you can add users/groups to that.

I'll look into ACIs a little more - it looks like the one you provided
will do fine. If I'm understanding it correctly, that would permit
members of the 'addusers' group to add general users? They wouldn't be
forced into a particular group? I guess I would need a rule similar to
that which adds all users into the 'ipausers' group to automatically
put them into my chosen group.

> Of course once you open this can of worms things get interesting because
> then you'll want to delete and modify users, and then groups, and...

Sure. Thankfully, we don't imagine that deletions will happen very
often, so we can get a full admin to do that. I've used the
'delegation' part of the freeipa control panel to create a group which
can modify users in another group. This seems to work fine. Are there
any problems with this that you know of.

Thanks for the other information related to version 2, very
interesting. And thanks again for the detailed reply.

Initially, we think this will be pretty low volume, so full admins can
handle a lot of stuff. We just want to be prepared incase the volume
increases.

Thanks,

Dan