On ke, 19 loka 2016, Baird, Josh wrote:

If I'm understanding you correctly - you will want to nest 'external' groups 
into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users.  
There are examples of this in the IdM documentation, but the gist is:

* Create an 'external' group in IPA (eg, ipa-group-add external_admins 
* Add your AD group as a member to the external group (eg, ipa group-add-member 
external_admins --external 'AD\groupname)
* Create a standard POSIX group in IPA (eg, ipa group-add admins)
* Add the external group as a member to the POSIX group (eg, 
ipa-group-add-members admins --groups external_admins)

Now you can define policy (HBAC, sudo) based on the 'admins' POSIX group and 
the policies will apply to the AD users in the AD\groupname group.
Correct -- for HBAC and SUDO rules this is the right procedure. See also
discussions on this list in last couple months, this topic was discussed
several times already.

For ID overrides (SSH public keys/homedir/etc) -- see my other email.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to