On Mon, 11 Aug 2014, Daniel Shown wrote:
I'm fairly new to FreeIPA, so can someone give me a sanity check? Should I
be able to map AD users in an AD trust to to corresponding FreeIPA users?
i.e. Users can auth with their AD credentials and get a FreeIPA uidnumber,
gidnumber, home, etc.?
Users from a trusted forest are treated as separate users. They have
their own identities and get IDs from either Active Directory (if POSIX
compatibility is enabled at AD) or from special ID range allocated for
them in IPA.

You can include these users (and groups, it doesn't matter what is what)
into special type of groups in IPA, called "external" groups. These
groups, in turn, can be members of existing POSIX groups from IPA. If
done so, your AD users will become members of appropriate POSIX groups
from IPA by means of nested membership.

These POSIX groups then can be used to apply SUDO or HBAC rules against
AD users.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to