Hi folks,
Tried to find this in the FreeIPA and RHEL IDM docs but could not find
my answer with any specificity ...
I have a user account called "idmbind" inside an AD controller for a
domain that we integrate with our linux fleet in AWS
Because this domain is non-essential and we had full control we got lazy
and just made the "idmbind" account as privileged as possible -- it's
currently part of the "Domain Admin" and "Enterprise Admin" groups
Now that crunch time is over we are auditing all our AD user accounts.
I've been specifically asked:
"Does your idmbind user really need Enterprise Admin group membership?"
"Does your idmbind user really need Domain Admin group membership?"
Is there a concise answer somewhere on what permissions/roles the local
AD user account needs to have when we use that username and password to
set up 1-way and 2-way trusts with FreeIPA? The docs and screenshots
show the words "domain administrator" but I'm wondering if the
requirements are more specific.
I figure "Domain Admin yes, Enterprise Admin no" may be the proper
answer but looking for a more authoritative voice, thanks!
Chris
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/SPR72YHCMOQKZS62SKGDF7BVVS3NO72P/