On 12.02.25 19:15, Rob Crittenden wrote:
More specifics would help. How did it not work as expected? What is the
full ACI you came up with?
The idea is that this is granted to all authenticated users EXCEPT those
in the, in your case, iam-managed-users and admins groups.
We did not user RBAC much up to now. So it is very likely that I did not
fully grasp the whole concept yet.
What I did was adding users to a group called
cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at
and modifying the target filter to
(&(!(memberOf=cn=iam-managed-users,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at))).
Nothing else. Because I thought the "System: Change User" permission
applies to all IPA users by default. This assumption might probably be
wrong...
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
