On 23/08/2023 13.48, Ivan Nagornov via FreeIPA-users wrote:
Hi all, just a small question about access control in FreeIPA which bomb my
head around a few days:
- is there any possibility to restrict ACI permissions in FreeIPA to limit
their impact to another groups/users?
We have a theoretical situation, let's suppose that we have the permission "Manage
User Password", this permission included in privilege, than in Role and Role should
be assigned.
When we assign this role to Account1, this account could change password for any user in
this realm (let it be "freeipa.test.lab").
So, in details my question is - can we somehow limit permission for account1
to make this permission works only for target group of users? lets imagine that
we have a branch and administrator in this branch which should change passwords
only for users in this branch.
Yes, it is possible, but not with the default permission. You have to
create a new permission, which limits write access to user password with
a memberOf target filter:
Bind rule type: permission
Granted rights: write
Type: User
Member of group: your-group-name
Effective attributes: userpassword
Accounts with this permission can change the password of user accounts
that are a member of "your-group-name" group. The new permission creates
an ACI with (targetattr = "userpassword") and
(targetfilter =
"(&(memberOf=cn=your-group-name,cn=groups,cn=accounts,$SUFFIX)(objectclass=posixaccount))")
I know that another instance of FreeIPA and maybe trusts between these 2
instances could work, but firstly I wish to solve this task in the simple way.
FreeIPA to FreeIPA trust is not implemented yet. There is currently no
way to establish trust between two FreeIPA domains.
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue