I've been working with support on how to set up HBAC and sudo rules with AD
users.

>From what they've described I can only manage them on an aggregate level
using an external group.

For example, I can define an hbac rule, but that hbac rule will be vaild
for *all* AD users in the external group that was created to handle them.

Am I missing something?  If that's the case then this isn't flexible enough
for our needs.  I have to be able to specify rules based on individual
accounts.

It seems like there might be a work-around by using multiple external
groups and having each AD user in their own external group, but that would
be really cumbersome (if it's even possible.)

Do I have any other options?

Thanks,

--Jason
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to