Spoke too soon -- looks like FreeIPA 4.8.7 does not support the
'--idoverrideusers' stuff shown on that URL:
Usage: ipa [global-options] group-add-member GROUP-NAME [options]
$ ipa group-add-member admins --idoverrideusers <rest of command>
Usage: ipa [global-options] group-add-member GROUP-NAME [options]
ipa: error: no such option: --idoverrideusers
Neither the group-add-member or the role-add-member seem to support the
"--idoverrideuser" required to make this work.
Are the docs outdated or is my IPA version?
Thanks!
Chris
David Sastre <mailto:[email protected]>
October 12, 2020 at 2:10 PM
Does this help?
https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-trusted-user.html#usage
Chris Dagdigian <mailto:[email protected]>
October 12, 2020 at 1:59 PM
Hi folks,
I've got a three-node replicating FreeIPA cluster running in AWS with
a one-way trust to an Active Directory domain.
Things work well with respect to user overrides and RBAC rules
affecting client machines but I can't for the life of me figure out
the order of operations for allowing a couple of external AD users to
have admin access to the FreeIPA webUI itself.
There are 3 AD users I'd like to give WebUI admin access to.
So far I've tried the standard stuff I've used for non-IPA clients:
1) make group "corp_admins_external" populated with external
"[email protected]" identities
2) Make group "corp_admins_posix" populated with the
corp_admins_external group
3) Added corp_admins_posix group to the admin group
Best I've been able to do so far is give myself login access to just
the user self-service page and even then that failed until
oddjob-mkhomedir() was running and enabled under authconfig
Is there a guide or a documentation set specific to granting admin
access to the webUI for forms-based login users?
Thanks!
Chris
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
