On ke, 01 helmi 2017, Jason B. Nance wrote:
- User/group management in general becomes largely a command-line operation
> (such as mapping groups so they can be used in HBAC and sudo rules)


While this is a nice-to-have, it isn't a deal breaker.

This definitely exists in WebUI? Unless you mean something I don't understand.

Define groups:
Identity->User Groups (second tab)

In my setup (FreeIPA 4.4.0 on CentOS 7) I don't see external users
(users that are known via the trust with AD) under the "Users" tab.
There is limited visibility / management of external groups and
membership, but nothing that displays a list of available users/groups
in AD when attempting to create/modify a user/group.
Not seeing AD users is the correct thing, you don't miss anything.

This topic comes regularly on the list. It is described in the Windows
integration guide, we discuss it here, you can look into archives, for
example:

https://www.redhat.com/archives/freeipa-users/2016-October/msg00083.html

IPA is not designed to give you ability to manage your AD users as if
they were in IPA -- you cannot create them there, you cannot list them
there. They are not and there is no need to pretend they are.

POSIX attributes for them can be managed in the ID overrides (in Default
Trust View). We are working on making possible to do self-service in web
UI for AD users themselves in upcoming releases. You can do 'self-service'
as an AD user in CLI already with ipa idoverrideuser-mod "default trust view" your.account@ad.domain [options]
but you currently cannot login as AD user to web UI. Also ID Override
needs to be pre-created by the IPA admin right now -- just do

 ipa idoverrideuser-add "default trust view" your.account@ad.domain



Define user mappings:
IPA Server -> ID Views -> Default Trust View

By "mapping" I meant adding an AD group to a FreeIPA group (which can be used 
for HBAC/sudo) so that AD membership is known by IPA when applying the HBAC/sudo rules. 
For example:

ipa group-add \
--desc="lab.gen.zone 'Domain Admins' external map" \
lgz_map_domain_admins \
--external
ipa group-add \
--desc="lab.gen.zone 'Domain Admins' POSIX" \
lgz_domain_admins
ipa group-add-member \
lgz_map_domain_admins \
--external 'LAB\Domain Admins'
ipa group-add-member \
lgz_domain_admins \
--groups lgz_map_domain_admins

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to