On Wed, 2017-11-29 at 09:26 -0500, Rob Morin via FreeIPA-users wrote:
Ok so I will Initially create the account. So far my tests went ok,
this
special user can change the users group and password , ONLY if they are
in the group sftponly. So that's ok. But I cannot seem to figure out how
to give Fred permission to be able to disable and enable a user in the
sftponly group group. Is this possible?
Not with standard permissions, but perhaps adding an explicit ACI on
the sftponly group to allow Fred to change the "member" attribute would
work ...
You need to test this as Fred may then lack the permission to change
the memberof attribute (automatically done by the system) on the users,
so this may cause the whole operation to fail anyway.
Simo.
Rob Morin
Systems/Network Administrator
Hardent Inc.
On 11/28/2017 11:13 AM, Rob Crittenden wrote:
> Rob Morin via FreeIPA-users wrote:
> > Hello all...
> >
> > I was wondering if someone could help me out, is it possible to have a
> > user administer only one host/server. Meaning they would log on to
> > freeipa gui and be able to change a password or lock and account for one
> > host only. In our case our sftp server where someone else wants to
> > administer it, when i am not around, like add a user and so on.
> >
> > Is this possible?
>
> User accounts can't be created or locked per-host because they are
> centralized.
>
> rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc