>>> - User/group management in general becomes largely a command-line operation
>> > (such as mapping groups so they can be used in HBAC and sudo rules)

>> While this is a nice-to-have, it isn't a deal breaker.

> This definitely exists in WebUI? Unless you mean something I don't understand.

> Define groups:
> Identity->User Groups (second tab)

In my setup (FreeIPA 4.4.0 on CentOS 7) I don't see external users (users that 
are known via the trust with AD) under the "Users" tab. There is limited 
visibility / management of external groups and membership, but nothing that 
displays a list of available users/groups in AD when attempting to 
create/modify a user/group. 
> Define user mappings:
> IPA Server -> ID Views -> Default Trust View

By "mapping" I meant adding an AD group to a FreeIPA group (which can be used 
for HBAC/sudo) so that AD membership is known by IPA when applying the 
HBAC/sudo rules. For example: 

ipa group-add \ 
--desc="lab.gen.zone 'Domain Admins' external map" \ 
lgz_map_domain_admins \ 
ipa group-add \ 
--desc="lab.gen.zone 'Domain Admins' POSIX" \ 
ipa group-add-member \ 
lgz_map_domain_admins \ 
--external 'LAB\Domain Admins' 
ipa group-add-member \ 
lgz_domain_admins \ 
--groups lgz_map_domain_admins 
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to