On ke, 12 loka 2016, rajat gupta wrote:
Hi,

Normally HBAC for AD users should be done through an external group.
You should use freeipa-users@ mailing list for these questions.

And start with documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html



So for example if we have 500+ users on AD and only 100 user are
administrator and they have Linux server access.

I want to set  the HBAC and sudo rules for users. So user have correct
access server access and sudo rights and I am using the *Active Directory
trust setup*

In this case i need to add all of the 100 users on in Freeipa as external
group.

for example :- user1 user name in AD

*user1-external* external group in IPA for trusted domain users
*user1 :-  *POSIX group for external
No, you don't need to do that. All you need to do is to create a group
on AD side where your users to access Linux systems would be added and
then add that group to the external group on IPA side.

Do we have document for implementing the HBAC and Sudo Rules for external
group.
See above documentation and discussions on freeipa-users@ mailing list.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to