On Fri, 10 Jun 2016, Petr Vobornik wrote:
On 06/09/2016 09:47 PM, Alexander Bokovoy wrote:
On Thu, 09 Jun 2016, Martin Basti wrote:



On 09.06.2016 17:49, Martin Babinsky wrote:
On 06/06/2016 12:38 PM, Alexander Bokovoy wrote:
Hi,

In case an ID override was created for an Active Directory user in the
default trust view, allow mapping the incoming GSSAPI authenticated
connection to the ID override for this user.

This allows to self-manage ID override parameters from the CLI, for
example, SSH public keys or certificates. Admins can define what can be
changed by the users via self-service permissions.

Part of https://fedorahosted.org/freeipa/ticket/2149



ACK


Ticket for this is in 'Tickets Deferred' milestone and should be
re-triaged before push
The ticket itself covers a far longer story and should stay in the
deferred bucket. However, this specific part of the implementation was
already discussed to be for 4.4. Don't pull the original ticket, as I'm
using it as a tracker.

This ticket should be used for that:
https://fedorahosted.org/freeipa/ticket/3242
I'm not sure. We have 2149 which came earlier (almost 5 years ago!) and
is properly describing what this is about.

Note that if you manually add ID Override record to the cn=admins group,
then AD users will indeed be able to manage IPA via CLI.

3242 is more UI related. UI part needs to be done as we have explicit
prevention for AD user logons right now.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to