On su, 14 touko 2017, Patrick Hemmer wrote:
I'm exploring using AD trusts, and am trying to find a good way to get
better management of trusted objects within FreeIPA.

One example, I add an AD user to an external group, and then add that
group to a POSIX group. When I want to view all the members of the POSIX
group, I can only see the native FreeIPA users. I have to manually go
into each nested group, and view all the external members to determine
who is in the top group. But from the command line a `getent group FOO`
shows nested members fine.
This is due to how AD users represented in IPA. They aren't real LDAP
objects so membership plugin is not creating backlinks between groups
and their members. Resolution of external members happens at the place
which evaluates them, e.g. SSSD or an HBAC test tool.

Another example, I see an external user in a group, and I want more
information about this user. Their name, department, etc. I can't get
it. I have to go into AD to find out who this user is. It would be nice
if I could see this info from within FreeIPA.
Yes, you need to go to the place where this user is defined, e.g. Active
Directory. We do not maintain information about AD users that belongs to
AD. You can only manage overrides for them and even that is optional if
you are using POSIX attributes in AD LDAP.

Or if I want to add an external user to a group, I have to know that
user's exact AD logon name. If I only have their real name, or other
information, I can't search for them and then add them to the group.
Sorry, that's not possible. We are able to address users only by their
samAccountName, their UPN, or directly by their SID. The rest is not
possible to retrieve in general case when there are more than one domain
in AD forest arranged in a complex topology. Their other properties
aren't guaranteed to be defined or unique.

Is there any way to make these types of management tasks simpler? If
not, is such a thing on the road map?
No for both, so far.
Or as an alternative, is it possible to use the winsync plugin to pull
users from AD, but whenever such a user tries to authenticate, the
authentication is performed against AD? So that FreeIPA is used for
authorization, but not authentication?
No, this is not possible.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to