The reverse membership of taskgroups and rolegroups was confusing so it is going to be re-designed, re-implemented and re-named.
aci and taskgroup are going to combine into a single plugin named permission.
privilege will be a way to combine permissions
role will replace rolegroups
We will need to reverse the way membership appears in this. They will still use member/memberOf under the hood but we are somehow going to need to reverse the way they appear to users.
This permission will cover the taskgroup-style acis. We will need a separate plugin to handle ldap:///self acis.
We will also need to:
permissions, privileges and roles, oh my freeipa-rcrit-612-permission.patch
To test this, try the following. It sets up the helpdesk role to be able to do user administration. It then creates a new user and adds them that role. Finally become that user and try to add a new user, it should be successful.
$ kinit admin $ ipa user-add --first=tim --last=user tuser1 --password $ ipa user-add --first=jed --last=butler jbutler FAIL $ ipa role-add-member --users=tuser1 helpdesk $ ipa role-add-privilege --privileges=useradmin helpdesk $ kinit tuser1 $ ipa user-add --first=jed --last=butler jbutler SUCCESS
You might also want to play around with the permissions and privileges, you can find out what is available with:
$ ipa permission-find $ ipa privilege-find
rebased patch freeipa-rcrit-612-2-permission.patch
master: 4ad8055
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.0 - 2010/11
Login to comment on this ticket.