Right, that's what I've got at this point. I just wanted to make sure I
wasn't missing something. Unfortunately, that architecture won't work for
me (mostly for political reasons instead of technical ones). I guess I'll
be digging into pass through auth to see if I can get that working.


*Daniel Shown,*
Linux Systems Administrator
Advanced Technology Group
Information Technology Services <http://www.slu.edu/its>
at Saint Louis University <http://www.slu.edu/>.


"The aim of education
is the knowledge,
not of facts,
but of values."
ā€” William S. Burroughs

"Iā€™m supposed to be
a scientific person
but  I use intuition
more than logic
in making basic
ā€” Seymour R. Cray

On Mon, Aug 11, 2014 at 3:08 PM, Alexander Bokovoy <aboko...@redhat.com>

> On Mon, 11 Aug 2014, Daniel Shown wrote:
>> I'm fairly new to FreeIPA, so can someone give me a sanity check? Should I
>> be able to map AD users in an AD trust to to corresponding FreeIPA users?
>> i.e. Users can auth with their AD credentials and get a FreeIPA uidnumber,
>> gidnumber, home, etc.?
> Users from a trusted forest are treated as separate users. They have
> their own identities and get IDs from either Active Directory (if POSIX
> compatibility is enabled at AD) or from special ID range allocated for
> them in IPA.
> You can include these users (and groups, it doesn't matter what is what)
> into special type of groups in IPA, called "external" groups. These
> groups, in turn, can be members of existing POSIX groups from IPA. If
> done so, your AD users will become members of appropriate POSIX groups
> from IPA by means of nested membership.
> These POSIX groups then can be used to apply SUDO or HBAC rules against
> AD users.
> --
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to