I don't have a 4.8.7 installation to test this, but the release notes[1] seem to indicate that this functionality should be available:
- 8357: Allow managing IPA resources as a user from a trusted Active Directory forest A 3rd-party plugin to provide management of IPA resources as users from trusted Active Directory domains was merged into FreeIPA core. ID user overrides can now be added to IPA management groups and roles and thus allow AD users to manage IPA. The syntax may be different, though. You can try the `ipa role-add-member` inline help. [1]: https://www.freeipa.org/page/Releases/4.8.7 On Mon, Oct 12, 2020 at 8:31 PM Chris Dagdigian <[email protected]> wrote: > Spoke too soon -- looks like FreeIPA 4.8.7 does not support the > '--idoverrideusers' stuff shown on that URL: > > Usage: ipa [global-options] group-add-member GROUP-NAME [options] > > > $ ipa group-add-member admins --idoverrideusers <rest of command> > Usage: ipa [global-options] group-add-member GROUP-NAME [options] > > ipa: error: no such option: --idoverrideusers > > > Neither the group-add-member or the role-add-member seem to support the > "--idoverrideuser" required to make this work. > > Are the docs outdated or is my IPA version? > > Thanks! > > Chris > > > David Sastre <[email protected]> > October 12, 2020 at 2:10 PM > Does this help? > > > https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-trusted-user.html#usage > > Chris Dagdigian <[email protected]> > October 12, 2020 at 1:59 PM > Hi folks, > > I've got a three-node replicating FreeIPA cluster running in AWS with a > one-way trust to an Active Directory domain. > > Things work well with respect to user overrides and RBAC rules affecting > client machines but I can't for the life of me figure out the order of > operations for allowing a couple of external AD users to have admin access > to the FreeIPA webUI itself. > > There are 3 AD users I'd like to give WebUI admin access to. > > So far I've tried the standard stuff I've used for non-IPA clients: > > 1) make group "corp_admins_external" populated with external > "[email protected]" <[email protected]> identities > 2) Make group "corp_admins_posix" populated with the corp_admins_external > group > 3) Added corp_admins_posix group to the admin group > > Best I've been able to do so far is give myself login access to just the > user self-service page and even then that failed until oddjob-mkhomedir() > was running and enabled under authconfig > > Is there a guide or a documentation set specific to granting admin access > to the webUI for forms-based login users? > > Thanks! > > Chris > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
