A way to delegate the admin-rights to a group or set of groups (i.e. give some sub-organisation a way to add and remove users to/from a group, without giving them the possibility to modify users or effecting other group memberships).
We'd like to use FreeIPA for a larger organisation with a multitude of teams. The scope of those teams it not distinct, i.e. some teams need to be access other machines adminstrated by other teams. User group membership via a central helpdesk is not feasible for us in terms of resources, processing, time and security. Teams should be able to delegate management of the developer group to the development team lead, management of the support staff group to support, etc.
ceaveats / not a solution: Currently it is possible to delegate certain attributes of group members (room number, telephone, etc). If this was extended to member attributes, it would give the right to add membership to other atttributes, too. So that is no solution. It should be ensured that no back doors can be opened (uid=0, dangerous home directories).
You can do this today in a somewhat cumbersome way.
Basically you create a permission that allows writing the member attribute of a specific group.
You add that permission to a privilege and that privilege to a role.
Then assign a user or group to that role which will allow it to manage the membership of the target group.
For example, if we want members of group g1 to manage membership of group g2:
ipa permission-add 'manage members of g2' --right write --attr member --targetgroup g2 ipa privilege-add 'manage members of g2' ipa privilege-add-permission 'manage members of g2' --permission 'manage members of g2' ipa role-add g1 ipa role-add-privilege --privilege 'manage members of g2' g1 ipa role-add-member --group g1 g1
We already have member manager support: https://freeipa.readthedocs.io/en/latest/designs/membermanager.html
# ipa help group-add-member-manager Usage: ipa [global-options] group-add-member-manager GROUP-NAME [options] Add users that can manage members of this group. Options: -h, --help show this help message and exit --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. --no-members Suppress processing of membership attributes. --users=STR users to add --groups=STR groups to add # ipa help group-remove-member-manager Usage: ipa [global-options] group-remove-member-manager GROUP-NAME [options] Remove users that can manage members of this group. Options: -h, --help show this help message and exit --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. --no-members Suppress processing of membership attributes. --users=STR users to remove --groups=STR groups to remove
Many thanks for the quick and detailed answer. We have done many tests and it works for us now. Thank you again and I will close this request.
Metadata Update from @marcelkeller: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.