[Freeipa-users] whats the recommended way to change OU structures in IPA?
John Dennis
jdennis at redhat.com
Mon Aug 6 15:22:07 UTC 2012
On 08/06/2012 11:07 AM, Dale Macartney wrote:
> Although I can use any ldapmodify capable tool to do this, I was
> wondering what the "recommended" way that we should be telling customers
> who want to change OU trees?
>
> e.g, say in a high school using IPA, they wished to create a parent OU
> called cn=school accounts,dc=example,dc=com and inside that OU there are
> two more OU's. One for staff and one for students?
>
> Presumably this is not possible through the webUI.
>
> Also what are the implications if I move a user that was created with
> "ipa user-add" into a non-default OU? will it break anything? Whats the
> best way to move an existing user into one of the above OU's?
IPA only supports flat name spaces, you cannot partition the default
containers. This was an early IPA design decision.
If you use ldapmodify to move entries it will break your IPA installation.
You can however assign users, hosts, etc. to groups. Then use group
membership to control how a particular group of users behaves. It's easy
to automate group membership via automember.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list