subject:"\[Freeipa\-users\] External group membership"

Re: [Freeipa-users] External group membership

2015-04-23 Thread Dmitri Pal


On 04/22/2015 01:21 PM, Benjamen Keroack wrote:

Hi Dmitri,

I'd be happy to test sssd 1.13 alpha. Is there any easy was to install 
on Ubuntu, or do I need to pull and compile from source?


Fo alpha you probably would need to go from source, but once 1.13 
released the disrto owners do a great job of keeping up with the upstream.

Please watch for the announcements on the list.



Thanks,

On Fri, Apr 17, 2015 at 9:07 PM, Dmitri Pal > wrote:


On 04/17/2015 09:12 PM, Benjamen Keroack wrote:

Hi,

We have a number of local groups on our IPA-managed servers that
we add LDAP/IPA users to. This works fine locally on the server
on an ad hoc basis:

$ usermod -a -G local-group test.user

However I'm trying to do this as part of user provisioning in IPA
via user groups. I've created external user groups in IPA, then
added those external groups to the user groups that new users are
added to via automember rules. For example:

local-group [external] -> [is a member of] -> developers [IPA group]

Then I SSH into one of the servers as a user who is a member of
developers:

test.user@qa$ groups
test.user developers qa_users

I do not see 'local-group' membership, even after restarting
sssd/rebooting. Is it possible to achieve this kind of automatic
local group membership? The only alternative I can see would be
to write a SUID binary that .bash_profile runs on login to add
them to the applicable groups, which seems like a bad hack.

This is IPA 4.1.0 running on RHEL 7.1. Client servers are Ubuntu
Trusty.

Thanks for any help,

-- 
Benjamen Keroack

/Infrastructure/DevOps Engineer/
benja...@dollarshaveclub.com 





It looks like you are looking for this:
https://fedorahosted.org/sssd/ticket/1591
It is on the roadmap for 1.13 alpha which should be out in couple
months.
Would you be interested to test?

-- 
Thank you,

Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Benjamen Keroack
/Infrastructure/DevOps Engineer/
benja...@dollarshaveclub.com 




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] External group membership

2015-04-22 Thread Benjamen Keroack

Hi Dmitri,

I'd be happy to test sssd 1.13 alpha. Is there any easy was to install on
Ubuntu, or do I need to pull and compile from source?

Thanks,

On Fri, Apr 17, 2015 at 9:07 PM, Dmitri Pal  wrote:

>  On 04/17/2015 09:12 PM, Benjamen Keroack wrote:
>
> Hi,
>
>  We have a number of local groups on our IPA-managed servers that we add
> LDAP/IPA users to. This works fine locally on the server on an ad hoc basis:
>
>  $ usermod -a -G local-group test.user
>
>  However I'm trying to do this as part of user provisioning in IPA via
> user groups. I've created external user groups in IPA, then added those
> external groups to the user groups that new users are added to via
> automember rules. For example:
>
>  local-group [external] -> [is a member of] -> developers [IPA group]
>
>  Then I SSH into one of the servers as a user who is a member of
> developers:
>
>  test.user@qa$ groups
> test.user developers qa_users
>
>  I do not see 'local-group' membership, even after restarting
> sssd/rebooting. Is it possible to achieve this kind of automatic local
> group membership? The only alternative I can see would be to write a SUID
> binary that .bash_profile runs on login to add them to the applicable
> groups, which seems like a bad hack.
>
>  This is IPA 4.1.0 running on RHEL 7.1. Client servers are Ubuntu Trusty.
>
>  Thanks for any help,
>
>  --
>   Benjamen Keroack
> *Infrastructure/DevOps Engineer*
> benja...@dollarshaveclub.com
>
>
>
>
> It looks like you are looking for this:
> https://fedorahosted.org/sssd/ticket/1591
> It is on the roadmap for 1.13 alpha which should be out in couple months.
> Would you be interested to test?
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
Benjamen Keroack
*Infrastructure/DevOps Engineer*
benja...@dollarshaveclub.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] External group membership

2015-04-17 Thread Dmitri Pal


On 04/17/2015 09:12 PM, Benjamen Keroack wrote:

Hi,

We have a number of local groups on our IPA-managed servers that we 
add LDAP/IPA users to. This works fine locally on the server on an ad 
hoc basis:


$ usermod -a -G local-group test.user

However I'm trying to do this as part of user provisioning in IPA via 
user groups. I've created external user groups in IPA, then added 
those external groups to the user groups that new users are added to 
via automember rules. For example:


local-group [external] -> [is a member of] -> developers [IPA group]

Then I SSH into one of the servers as a user who is a member of 
developers:


test.user@qa$ groups
test.user developers qa_users

I do not see 'local-group' membership, even after restarting 
sssd/rebooting. Is it possible to achieve this kind of automatic local 
group membership? The only alternative I can see would be to write a 
SUID binary that .bash_profile runs on login to add them to the 
applicable groups, which seems like a bad hack.


This is IPA 4.1.0 running on RHEL 7.1. Client servers are Ubuntu Trusty.

Thanks for any help,

--
Benjamen Keroack
/Infrastructure/DevOps Engineer/
benja...@dollarshaveclub.com 





It looks like you are looking for this: 
https://fedorahosted.org/sssd/ticket/1591

It is on the roadmap for 1.13 alpha which should be out in couple months.
Would you be interested to test?

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] External group membership

2015-04-17 Thread Benjamen Keroack

Hi,

We have a number of local groups on our IPA-managed servers that we add
LDAP/IPA users to. This works fine locally on the server on an ad hoc basis:

$ usermod -a -G local-group test.user

However I'm trying to do this as part of user provisioning in IPA via user
groups. I've created external user groups in IPA, then added those external
groups to the user groups that new users are added to via automember rules.
For example:

local-group [external] -> [is a member of] -> developers [IPA group]

Then I SSH into one of the servers as a user who is a member of developers:

test.user@qa$ groups
test.user developers qa_users

I do not see 'local-group' membership, even after restarting
sssd/rebooting. Is it possible to achieve this kind of automatic local
group membership? The only alternative I can see would be to write a SUID
binary that .bash_profile runs on login to add them to the applicable
groups, which seems like a bad hack.

This is IPA 4.1.0 running on RHEL 7.1. Client servers are Ubuntu Trusty.

Thanks for any help,

-- 
Benjamen Keroack
*Infrastructure/DevOps Engineer*
benja...@dollarshaveclub.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] External group membership

Re: [Freeipa-users] External group membership

Re: [Freeipa-users] External group membership

[Freeipa-users] External group membership

4 matches

Site Navigation

Mail list logo

Footer information