On 05/12/2017 04:09 PM, Tym Rehm wrote:
So I'm testing a new freeipa 4.x setup that has a one-way trust to
Active Directory. I have been able to define user groups to access the
AD groups and configure the groups to work with HBAC rules. So my AD
users are able to ssh into the client machines if HBAC allows them to.

The issue I'm having is that I would like to allow the AD users to login
to the webgui. I currently have the users in the defined in the ID views
(Default Trust View). I'm only setting the Home Directory at present,
should I add to the ID view?


Do not meddle in the affairs of dragons cause you are crunchy and good
with ketchup.

Hi Tym,

this feature is available since FreeIPA 4.5.1 (see ticket 3242 [1]). You need to define a idoverrideuser for each AD user with:
$ ipa idoverrideuser-add 'Default Trust View' adu...@ad-domain.com


[1] https://pagure.io/freeipa/issue/3242

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to