[Freeipa-users] Limiting group/user visibility

Lassi Pölönen lassi.polonen at iki.fi
Sat Dec 3 10:52:42 UTC 2011


On 2.12.2011 17:41, Simo Sorce wrote:
> On Fri, 2011-12-02 at 08:01 -0600, david t. klein wrote:
>> I think, rather than replicating your admin accounts, have a separate admin
>> realm, and then have all customer realms trust your admin realm, and use
>> those credentials.
> In future this will be an easier way.
> But right now trust relationships won't allow you to use a single admin
> account to actually manage multiple freeipa realms.
>
> Simo.

 From my point of view the fact that a single instance is only able to 
run a single realm is even a bigger issue. But I think we can accomplish 
what we need with pretty simple ACIs since the need for limiting the 
visibility isn't too complex and follows the same pattern with every 
customer.

-Lassi




More information about the Freeipa-users mailing list