On 4/13/15, 11:37 AM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:

>Through external users' groups mechanism we use for any other AD users
>mapping in HBAC and SUDO. These are not local (not defined in IPA but
>defined on the host) groups and users but rather AD groups and users.
>ipa group-add --external gould_group_ext
>ipa group-add-member gould_group_ext --external=gould@test.osuwmc
>ipa group-add gould_group
>ipa group-add-member gould_group --groups=gould_group_ext
>And now make sudo rule that allows users of gould_group to run needed
>commands. SSSD will pull in all membership information for gould_group,
>including AD users.

Just curious, but if we don¹t plan on using any IPA native users, could
you skip the last two commands and add gould_group_ext to the sudo rule?

I¹ve seen this same basic example used for HBAC, but it never was clear to
me why the IPA group needed to be added if you¹re only concerned with AD
users? Does it need to be added or do the examples include the IPA group
because they assume that you¹ll be wanting to use a mix of AD and IPA
users for HBAC and sudo?


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to