On Mon, 13 Apr 2015, Gould, Joshua wrote:
On 4/13/15, 11:37 AM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:

Through external users' groups mechanism we use for any other AD users
mapping in HBAC and SUDO. These are not local (not defined in IPA but
defined on the host) groups and users but rather AD groups and users.

ipa group-add --external gould_group_ext
ipa group-add-member gould_group_ext --external=gould@test.osuwmc
ipa group-add gould_group
ipa group-add-member gould_group --groups=gould_group_ext

And now make sudo rule that allows users of gould_group to run needed
commands. SSSD will pull in all membership information for gould_group,
including AD users.

Just curious, but if we don¹t plan on using any IPA native users, could
you skip the last two commands and add gould_group_ext to the sudo rule?
No. gould_group_ext has no POSIX attributes and thus is not visible to

I¹ve seen this same basic example used for HBAC, but it never was clear to
me why the IPA group needed to be added if you¹re only concerned with AD
users? Does it need to be added or do the examples include the IPA group
because they assume that you¹ll be wanting to use a mix of AD and IPA
users for HBAC and sudo?
A schema IPA uses for storing group membership requires existence of an
object in LDAP. AD users and groups don't exist in IPA LDAP and thus
cannot be addressed directly. For doing this we create a real LDAP
object which has reference to AD user/group's SID as a string. SSSD
knows about this arrangement and properly pulls information from this
LDAP object whenever it is encountered as a member of POSIX group. As
result, you can see AD user or group as a member of a POSIX group but we
need a helper object to allow this magic to work.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to