Hi folks,

Have an AWS footprint that thanks to FreeIPA can talk to a really complex remote AD forest with lots of transitive trusts and child domains. Would not be possible without FreeIPA in the mix.

So far we've only really been required to grant admin/sudo access and we've done that individually with role based user and hostgroups

I'm comfortable with bringing an AD user into the fold:

1. Make a non-posix group in FreeIPA to hold the AD usernames
2. Make a second group of type=POSIX that inherits members from the external non-posix group
3. Implement RBAC controls and rules via the posix group
4. magic!

Now I need to globally allow SSH and possibly other PAM service access based on pre-existing AD group membership

Looking for guidance or URLs on how to manage RBAC controls based on AD group rather than AD username.

Is it roughly the same (or exactly the same? )

- Make non-posix group that references the AD group in FreeIPA
- Make POSIX group in FreeIPA that inherits members of the non-posix group
- Implement RBAC rules?

Any tips or cheatsheets for allowing RBAC controls based on groups that exist in AD would be appreciated. thanks!


FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to