Sorry for the late reply, I've seen this on the mailing list a few times and wondered it myself....this was my solution:
IPA has an option to use RADIUS password, which you can also override the username. So for those users that are allowed to manage IPA, we have google-auth and freeradius gateways setup with a user-override. for example. jev...@ipa.example.com has radius user of jev...@ad.example.com I log into the webui with jev...@ipa.example.com with my password for jev...@ad.example.com (and in my case, I add my google auth OTP) Does this help? -Jake ----- Original Message ----- From: "Alexander Bokovoy" <aboko...@redhat.com> To: "Troels Hansen" <t...@casalogic.dk> Cc: "freeipa-users" <freeipa-users@redhat.com> Sent: Monday, October 31, 2016 3:59:36 AM Subject: Re: [Freeipa-users] Allow external AD users on webui On ma, 31 loka 2016, Troels Hansen wrote: >----- On Oct 31, 2016, at 8:33 AM, Alexander Bokovoy aboko...@redhat.com wrote: > > >> You make it sound as if it is a done deal. It is not, there is a number >> of changes that yet not figured out how to do in an efficient way. >> >> It is in our pipeline for 4.5. It is understandable that people ask for >> this feature. It is also should be clear to you had it been a simple >> thing, it would have been implemented already. >> >> If you want to see a progress, subscribe to the ticket. > >Hi Alexander > >It was in no way a critics of the FreeIPA team. I'm well aware of the >work being out into this product from the core team, and appreciate >every new release, but also not really able to help much with the >development, only testing and feedback. That's why I asked you to subscribe to the ticket. Once the changes will be ready, you could help with testing them. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project