On ti, 14 marras 2017, Chris Dagdigian via FreeIPA-users wrote:
Hi folks,

Have an AWS footprint that thanks to FreeIPA can talk to a really complex remote AD forest with lots of transitive trusts and child domains. Would not be possible without FreeIPA in the mix.

So far we've only really been required to grant admin/sudo access and we've done that individually with role based user and hostgroups

I'm comfortable with bringing an AD user into the fold:

1. Make a non-posix group in FreeIPA to hold the AD usernames
2. Make a second group of type=POSIX that inherits members from the external non-posix group
3. Implement RBAC controls and rules via the posix group
4. magic!

Now I need to globally allow SSH and possibly other PAM service access based on pre-existing AD group membership

Looking for guidance or URLs on how to manage RBAC controls based on AD group rather than AD username.

Is it roughly the same (or exactly the same? )

- Make non-posix group that references the AD group in FreeIPA
- Make POSIX group in FreeIPA that inherits members of the non-posix group
- Implement RBAC rules?
Correct. It is exactly the same.


Any tips or cheatsheets for allowing RBAC controls based on groups that exist in AD would be appreciated. thanks!
You just listed it above. Remember that 'external members' of non-POSIX
group in freeIPA are just SIDs. Since on AD side any SID that can be
part of a Kerberos ticket's MS-PAC structure can be used for security
controls, any SID mentioned as an 'external member' of such non-POSIX
group in IPA (which is a member of some POSIX group in IPA) can be used
to control membership in that POSIX group, and thus HBAC/SUDO rules.

It is a bit of a magic but a magic that was carefully designed this way.

Chris

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to