I'm exploring using AD trusts, and am trying to find a good way to get
better management of trusted objects within FreeIPA.

One example, I add an AD user to an external group, and then add that
group to a POSIX group. When I want to view all the members of the POSIX
group, I can only see the native FreeIPA users. I have to manually go
into each nested group, and view all the external members to determine
who is in the top group. But from the command line a `getent group FOO`
shows nested members fine.

Another example, I see an external user in a group, and I want more
information about this user. Their name, department, etc. I can't get
it. I have to go into AD to find out who this user is. It would be nice
if I could see this info from within FreeIPA.

Or if I want to add an external user to a group, I have to know that
user's exact AD logon name. If I only have their real name, or other
information, I can't search for them and then add them to the group.

Is there any way to make these types of management tasks simpler? If
not, is such a thing on the road map?

Or as an alternative, is it possible to use the winsync plugin to pull
users from AD, but whenever such a user tries to authenticate, the
authentication is performed against AD? So that FreeIPA is used for
authorization, but not authentication?



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to