On Thu, 2 Sep 2010 16:26:26 -0700 Brian LaMere <[email protected]> wrote:
> > > > 389 access control is pretty powerful and flexible. There's > > usually a way to do what you want to do without having to resort to > > using subtrees (as in AD). > > > > http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Managing_Access_Control.html > > > > > aye - I already have everything on that side of the house working > perfectly, in exactly the way I want it. However, part of how I have > that is based on ACIs attached to specific ou units. So if it could > probably be made to work without resorting to ACIs for individual > OUs, then...ok. I want PMs to be able to make people that are > customers, but not people who are People (that sounds horrible, but > you know what I mean...heh). That's just one of example of many, > including batch processes that make changes to specific ou units > reserved for the activities of those processes. > > Perhaps I'll just install FreeIPA and see, then. Brian, for non user/group/host objects you fully own and control you can use whatever directory structure you want as long as you do not put them under the cn=accounts subtree and keep them generally away from any IPA controlled subtree. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
