Hello!
I encountered a problem with differentiating user rights in the FreeIPA.
Example 1:
I have two user groups, for example: "Priveledge Users" and "Minimal rights" For example, I'd like to remove the ability for a user from a group "Minimal rights" to see the section of created Services. I need to set "Bind rule type" in RBAC - "System: Read Services" from "all" to "permission", and then I add this permission for every pre-defined Privileges (there are no Privileges linked to usergroup "Minimal rights"). Than, when I connected from user in group "Minimal rights" I can't see any service, in this case all works good. But when next time I send request for create/delete certificate of Service (tested only with ipa-getcert) - I get status "CA Unreachable".
When I switch back "System: Read Services" bind type to "all" - ipa-getcert works correctly, but users from group "Minimal rights" again can see Services So I have a question: how to correctly set the permission “System: Reading Services” so that the user from the group does not see the Services, and the ipa-getcert works correctly
____
Example 2: Similar example, but now with sshd authentication. For example, now I'd like to remove the ability for a user from a group "Minimal rights" to see the section of usergroups.
If I set permission "System: Read User Membership" - than user from group "Minimal rights" can't see any usergroups, but than I can't authenticate at host by ssh (I have created HBAC Rule, which grant access one group of users to group of hosts).
How can I set this permission correctly: so that the user from the group does not see the usergroups and HBAC still works correctly?
freeipa-users@lists.fedorahosted.org