On ti, 30 tammi 2018, Daniele Liciotti via FreeIPA-users wrote:
Hi,

I have connected my FreeIPA server with an AD in trust. Is it possible
to assign special permissions (sudo) to some AD users? I noticed that
the policies can only be set to AD group.
Policies can only be assigned to POSIX users/groups. Thus, if you have
AD users or groups mapped to POSIX groups, you can get it working.

Add posix group:
  ipa group-add foo

Add an external, non-POSIX group:
  ipa group-add --external foo_external

Add an external user to an external group:
  ipa group-add-member foo_external --external user@ad.domain

The member you add can be anything IPA could resolve into a SID, so a
user or a group from a trusted AD domain.

Add this external group to a POSIX group as a member:
  ipa group-add-member foo --groups=foo_external

Then use the POSIX 'foo' group in your sudo rules.
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to