On 23/08/2023 13.48, Ivan Nagornov via FreeIPA-users wrote:
Hi all, just a small question about access control in FreeIPA which
bomb my head around a few days:
- is there any possibility to restrict ACI permissions in FreeIPA to limit their impact
to another groups/users?
We have a theoretical situation, let's suppose that we have the permission
"Manage User Password", this permission included in privilege, than in Role and
Role should be assigned.
When we assign this role to Account1, this account could change password for any user in
this realm (let it be "freeipa.test.lab").
So, in details my question is - can we somehow limit permission for account1 to make
this permission works only for target group of users? lets imagine that we have a branch
and administrator in this branch which should change passwords only for users in this
branch.
Yes, it is possible, but not with the default permission. You have to
create a new permission, which limits write access to user password with
a memberOf target filter:
Bind rule type: permission
Granted rights: write
Type: User
Member of group: your-group-name
Effective attributes: userpassword
Accounts with this permission can change the password of user accounts
that are a member of "your-group-name" group. The new permission creates
an ACI with (targetattr = "userpassword") and
(targetfilter =
"(&(memberOf=cn=your-group-name,cn=groups,cn=accounts,$SUFFIX)(objectclass=posixaccount))")
I know that another instance of FreeIPA and maybe trusts between
these 2 instances could work, but firstly I wish to solve this task in the simple way.
FreeIPA to FreeIPA trust is not implemented yet. There is currently no
way to establish trust between two FreeIPA domains.
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH,
https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill