[Freeipa-users] User admins for different groups

Sigbjorn Lie sigbjorn at nixtra.com
Fri Mar 29 18:59:59 UTC 2013




On Fri, March 29, 2013 19:10, Dmitri Pal wrote:
> On 03/28/2013 05:11 AM, Petr Spacek wrote:
>
>> On 28.3.2013 09:38, Philipp Richter wrote:
>>
>>> Am 26.03.2013 um 16:55 schrieb Rob Crittenden <rcritten at redhat.com>:
>>>
>>>
>>>> Petr Spacek wrote:
>>>>
>>>>> On 26.3.2013 15:10, Rob Crittenden wrote:
>>>>>
>>>>>> Philipp Richter wrote:
>>>>>>
>>>>>>> On 03/26/2013 12:39 AM, Dmitri Pal wrote:
>>>>>>>
>>>>>>>
>>>>>>>>> I am trying to do the following:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> We have some branch offices at different locations. We want to use
>>>>>>>>> one ipa-server with replicas in each branch office. Each branch office should have
>>>>>>>>> it's own set of administrators who should be able to create/modify/delete users for
>>>>>>>>> its own branch but should not be allowed to change users from other branches. every
>>>>>>>>> member of admin-at should be forced to create/modify/delete only users in
>>>>>>>>> branch-at. The same applies for admin-us/branch-us.
>>>>>>>>>
>>>>>>>>> at first, i thought of a combination of (a) new role(s), with write/delete
>>>>>>>>> permissions set for the branch-at group, as well as an automember rule but it seems
>>>>>>>>> there is no way to filter for the creator of an entry, which would be needed for
>>>>>>>>> the group membership..
>>>>>>>>>
>>>>>>>>> am i missing anything?
>>>>>>>>
>>>>>>>> This might help
>>>>>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-singl
>>>>>>>> e/Identity_Management_Guide/index.html#delegating-users
>>>>>>>>
>>>>>>>
>>>>>>> Yes, I read the whole document but as far as I understand
>>>>>>> delegates are only helpful for editing existing records. I want admins of one branch to
>>>>>>> be able the also create users, but only in the assigned branch.
>>>>>>>
>>>>>>> Currently we use standard openldap with different ou's for the
>>>>>>> branches. Each branch admin has full ldap permissions for it's own ou-subtree.
>>>>>>>
>>>>>>
>>>>>> IPA uses a flat DIT so here is no way to control adding users in a
>>>>>> given branch office.
>>>>>>
>>>>>> The most you'd be able to do is delegae management (delete/modify) a
>>>>>> subset of users who are members of a group that represents that branch office. Any new
>>>>>> users added would need to be added to the appropriate branch group by the admin adding
>>>>>> them.
>>>>>
>>>>> This sounds like big deficiency to me...
>>>>> Is it possible to hack automember plugin to enforce some group
>>>>> assignment based on creator's group/name as proposed above? It should allow users to
>>>>> prepare some hand crafted ACIs, I guess.
>>>>>
>>>>> (Sorry, I don't have any knowledge about automember internals :-)
>>>>>
>>>>
>>>> Using automember doesn't prevent an admin from adding a user outside
>>>> of the branch. It would just automatically assign that new user to the correct branch based
>>>> on the automember rules AND assuming that the admin that added the user included the right
>>>> information for the rules.
>>>>
>>>> ACIs control add at the subtree level, so for us it is a binary.
>>>> Either you can add users or you can't.
>>>>
>>>
>>> In our current ldap implementation (openldap) there are some
>>> attributes which are implicitly set. I think these are creation/modification time and creator's
>>> name. So if these attributes would exist in ipa one could set up automember rules based on the
>>>  creators name.
>>>
>>> Is there a way to switch such attributes on?
>>>
>>
>> creatorsname is present, but is not returned from search if you didn't require it explicitly:
>>
>> $ ldapsearch -Y GSSAPI 'creatorsname'
>> [...]
>> creatorsname: uid=admin,cn=users,cn=accounts,dc=example,dc=com
>>
>>
>
> So does that mean that automembership plugin can be configured to place
> users into the right groups based on the value of this attribute? That would be really awesome!
>
>

It looks like that works just fine! I've been looking for a solution for this too! Awesome! :)

ipa automember-add-condition usergroupname --inclusive-regex="uid=creatorusername.*"
--key=creatorsname --type=group
--------------------------------
Added condition(s) to "usergroupname"
--------------------------------
  Automember Rule: usergroupname
  Inclusive Regex: creatorsname=uid=creatorusername.*


# ipa user-add atest2
---snip---

# ipa group-show usergroupname
  Group name: usergroupname
  Description: Created by creatorsname
  Member users: atest2


Is there any reason not to use the creatorsname attribute? Is there a reason it does not exist as
a selectable key in the webui?



Rgds,
Siggi






More information about the Freeipa-users mailing list