Hi,

If I'm understanding you correctly - you will want to nest 'external' groups 
into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users.  
There are examples of this in the IdM documentation, but the gist is:

* Create an 'external' group in IPA (eg, ipa-group-add external_admins 
--external)
* Add your AD group as a member to the external group (eg, ipa group-add-member 
external_admins --external 'AD\groupname)
* Create a standard POSIX group in IPA (eg, ipa group-add admins)
* Add the external group as a member to the POSIX group (eg, 
ipa-group-add-members admins --groups external_admins)

Now you can define policy (HBAC, sudo) based on the 'admins' POSIX group and 
the policies will apply to the AD users in the AD\groupname group.

Hope this helps.

Thanks,

Josh

-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Chris Dagdigian
Sent: Wednesday, October 19, 2016 3:18 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Novice question re IPA management of host RBAC login, 
sudo and ssh key management for users who are only in Active Directory

Thanks to great tips and pointers from people on this list (h/t Alexander B) I 
was able to build an IPA master + replica setup that can recognize and allow 
logins from users coming from multiple disconnected AD Forests with 1-way 
trusts to the IPA servers

Sanitized view of our AWS footprint:

AD Servers & IPA:
------------------------
AD Forest #1:   company-test.org
AD Forest #2:   company-aws.org
AD Forest #3:   company.org
IPA Domain/Realm:    company-ipa.org   (successful 1-way trusts to 
company-test.org and company-aws.org etc.)

With basic recognition of users and working SSH logins based on AD username and 
passwords I'm moving on to trying to use the far more interesting IPA/IDM 
features.

Using user accounts defined locally on the IPA server I'm having a blast 
uploading SSH keys and creating sudo rules and groups. So the natural next 
question is "can we do this for users who exist only in remote AD controllers?

IPA is doing 100% of the UID/GID/Posix stuff management - we are only pulling 
usernames & groups from AD and checking passwords against the AD servers.

The basic question -- is it possible for me to get to "hybrid linux user 
management" nirvana whereby IPA/IDM manages everything about AD users except 
for their username and passwords?

Tried to find this in the official documentation but it dives instantly into 
deep topics about user data mapping, custom schemas and dealing with POSIX data 
served up by the AD controllers. Hard to figure out the boundary between what 
IPA can support with local user accounts vs  what it can do when the users 
exist in remote AD forests.

Any URLs or documentation pointers would be appreciated

Regards,
Chris




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to