On ke, 27 tammi 2021, Ronald Wimmer via FreeIPA-users wrote:
On 27.01.21 10:11, Alexander Bokovoy via FreeIPA-users wrote:
The FreeIPA team would like to announce FreeIPA 4.9.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora distributions will be available from the official repository
soon.
== Highlights in 4.9.1
* 3226: [RFE] ipa sudorule-add-user should accept more types of
characters
IPA now supports users and groups from trusted Active Directory
domains in SUDO rules to specify runAsUser/runAsGroup properties
without an intermediate non-POSIX group membership
This means the right way to map an AD group would now be creating a
POSIX group that has the AD group as its direct member?
No. The way to include AD users/groups into POSIX groups did not change
at all.
Is an intermediate non-POSIX group still needed for HBAC?
Correct.
What changed is that for SUDO rules (and SUDO rules alone) there is a
way to include AD users/groups into the SUDO rules directly.
The design document explains it in more details:
https://freeipa.readthedocs.io/en/latest/designs/adtrust/sudorules-with-ad-objects.html
There is one bug right now in SSSD with runAsGroup handling. It will be
fixed in RHEL 8.4 and CentOS 8 Stream (and Fedora next week, I've been
told).
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
