On 5/2/20 2:18 PM, TomK via FreeIPA-users wrote:
Hey All,
Let's suppose I have two AD groups:
unixadmin
unixusers
In FreeIPA, I would like to give unixadmin group access to ALL FreeIPA
functions.
Whereas for the unixusers, I would like to give R/O access.
I've already done the group mappings from AD to FreeIPA.
What is the best way to achieve this? I'm finding related links online
but not quite what I'm looking for.
I did a test to see if nesting the unixadmin group within the FreeIPA
admins group would work but I still can't login to FreeIPA with my AD
user, despite my ID residing in the unixadmin group which in turn is
nested in the FreeIPA admins group.
This is FreeIPA 4.6.4 .
Hi,
you can find more information in "Configuring and Managing Identity
Management" RHEL 8 book, especially in the chapters "Enabling AD users
to administer IdM" [1] and "WebUI login for Active DIrectory users" [2].
An AD user needs an id override to be able to login to the WebUI. With
this, he will have access to the self-service UI which provides only a
limited set of operations on his own account.
If the AD user is added to the admins group, he will get additional
privileges.
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_and_managing_identity_management/index#enabling-ad-user-to-administer-idm_configuring-and-managing-idm
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_and_managing_identity_management/index#web-ui-login-for-ad-users-login-web-ui-krb
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org