On 2 February 2017 at 10:06, Jason B. Nance <ja...@tresgeek.net> wrote:
> > > - User/group management in general becomes largely a command-line >> operation (such as mapping groups so they can be used in HBAC and sudo >> rules) >> >> While this is a nice-to-have, it isn't a deal breaker. >> > > This definitely exists in WebUI? Unless you mean something I don't > understand. > > Define groups: > Identity->User Groups (second tab) > > In my setup (FreeIPA 4.4.0 on CentOS 7) I don't see external users (users > that are known via the trust with AD) under the "Users" tab. There is > limited visibility / management of external groups and membership, but > nothing that displays a list of available users/groups in AD when > attempting to create/modify a user/group. > Ah! Yes, I can't see all the AD users either. But adding a user to the ID Views does fail on bad user names, which is not the same thing - I know - but I only have a one way trust (from FreeIPA to AD) and the AD is managed by the IT Overlords on Floor 6. Bi directional trust may have different usage? > Define user mappings: > IPA Server -> ID Views -> Default Trust View > > By "mapping" I meant adding an AD group to a FreeIPA group (which can be > used for HBAC/sudo) so that AD membership is known by IPA when applying the > HBAC/sudo rules. For example: > > ipa group-add \ > --desc="lab.gen.zone 'Domain Admins' external map" \ > lgz_map_domain_admins \ > --external > ipa group-add \ > --desc="lab.gen.zone 'Domain Admins' POSIX" \ > lgz_domain_admins > ipa group-add-member \ > lgz_map_domain_admins \ > --external 'LAB\Domain Admins' > ipa group-add-member \ > lgz_domain_admins \ > --groups lgz_map_domain_admins > > Through the groups UI, you can add an external group (we use the naming system "ad_my_group"), then add the AD group as an external member to that group (add AD-DOMAIN\my_group). Then we add the local POSIX group ("my_group") and make "ad_my_group" a member of that. When you add a group in the groups, you will see the option for the group to be POSIX, external or normal. cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project