Closed sfinn85 closed 7 months ago
It might be possible to archive this with a pre-callback on the group_add_member plugin. This would enforce the restriction on the IPA API layer.
After this was initially filed, this feature has been expanded out a little, as we now need to support more and one "agreement". And a user may have an account, and not have signed any of the agreements.
So on the freeipa-fas side, we need the following (i think):
This is something that we may be able to enforce on the FreeIPA side? @tiran can maybe tell us whether that's feasible (depending on how FPCA is stored probably)?