On 2 February 2017 at 10:06, Jason B. Nance <ja...@tresgeek.net> wrote:

> >    - User/group management in general becomes largely a command-line
>> operation (such as mapping groups so they can be used in HBAC and sudo
>> rules)
>> While this is a nice-to-have, it isn't a deal breaker.
> This definitely exists in WebUI? Unless you mean something I don't
> understand.
> Define groups:
> Identity->User Groups (second tab)
> In my setup (FreeIPA 4.4.0 on CentOS 7) I don't see external users (users
> that are known via the trust with AD) under the "Users" tab.  There is
> limited visibility / management of external groups and membership, but
> nothing that displays a list of available users/groups in AD when
> attempting to create/modify a user/group.

Ah! Yes, I can't see all the AD users either. But adding a user to the ID
Views does fail on bad user names, which is not the same thing - I know -
but I only have a one way trust (from FreeIPA to AD) and the AD is managed
by the IT Overlords on Floor 6.

Bi directional trust may have different usage?

> Define user mappings:
> IPA Server -> ID Views -> Default Trust View
> By "mapping" I meant adding an AD group to a FreeIPA group (which can be
> used for HBAC/sudo) so that AD membership is known by IPA when applying the
> HBAC/sudo rules.  For example:
> ipa group-add \
>   --desc="lab.gen.zone 'Domain Admins' external map" \
>   lgz_map_domain_admins \
>   --external
> ipa group-add \
>   --desc="lab.gen.zone 'Domain Admins' POSIX" \
>   lgz_domain_admins
> ipa group-add-member \
>   lgz_map_domain_admins \
>   --external 'LAB\Domain Admins'
> ipa group-add-member \
>   lgz_domain_admins \
>   --groups lgz_map_domain_admins

Through the groups UI, you can add an external group (we use the naming
system "ad_my_group"), then add the AD group as an external member to that
group (add AD-DOMAIN\my_group). Then we add the local POSIX group
("my_group")  and make "ad_my_group" a member of that.

When you add a group in the groups, you will see the option for the group
to be POSIX, external or normal.


The most dangerous phrase in the language is, "We've always done it this

- Grace Hopper
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to