Perfect thank you. I tend to get too wordy in my emails. You've described exactly what I'm going for.

Follow up question - Will a similar approach work for users (not groups) as well if there is a small collection of AD-defined people I want to hold and distribute SSH public keys for?

Happy to document our setup or write up a HowTO or intro guide for other novices if we are trying something that is not often done.


Baird, Josh wrote:

If I'm understanding you correctly - you will want to nest 'external' groups 
into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users.  
There are examples of this in the IdM documentation, but the gist is:

* Create an 'external' group in IPA (eg, ipa-group-add external_admins 
* Add your AD group as a member to the external group (eg, ipa group-add-member 
external_admins --external 'AD\groupname)
* Create a standard POSIX group in IPA (eg, ipa group-add admins)
* Add the external group as a member to the POSIX group (eg, 
ipa-group-add-members admins --groups external_admins)

Now you can define policy (HBAC, sudo) based on the 'admins' POSIX group and 
the policies will apply to the AD users in the AD\groupname group.

Hope this helps.



Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to