Re: [Freeipa-users] How do you allow Active Directory Users to login to the webgui
On pe, 12 touko 2017, Tym Rehm wrote: So I'm testing a new freeipa 4.x setup that has a one-way trust to Active Directory. I have been able to define user groups to access the AD groups and configure the groups to work with HBAC rules. So my AD users are able to ssh into the client machines if HBAC allows them to. The issue I'm having is that I would like to allow the AD users to login to the webgui. I currently have the users in the defined in the ID views (Default Trust View). I'm only setting the Home Directory at present, should I add to the ID view? As Flo pointed out, login to web UI as AD user only works in FreeIPA 4.5.1+. If you have 4.4, you can only get AD users to access IPA CLI. To do that you only need to create ID override as admin: ipa idoverrideuser-add 'Default Trust View' u...@ad.test Just creating an ID override without anything else is enough. Web UI support for AD users' self-service is only in 4.5.1+ which is currently not packaged anywhere, I guess. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How do you allow Active Directory Users to login to the webgui
On 05/12/2017 04:09 PM, Tym Rehm wrote: So I'm testing a new freeipa 4.x setup that has a one-way trust to Active Directory. I have been able to define user groups to access the AD groups and configure the groups to work with HBAC rules. So my AD users are able to ssh into the client machines if HBAC allows them to. The issue I'm having is that I would like to allow the AD users to login to the webgui. I currently have the users in the defined in the ID views (Default Trust View). I'm only setting the Home Directory at present, should I add to the ID view? Thanks -- -- Do not meddle in the affairs of dragons cause you are crunchy and good with ketchup. Hi Tym, this feature is available since FreeIPA 4.5.1 (see ticket 3242 [1]). You need to define a idoverrideuser for each AD user with: $ ipa idoverrideuser-add 'Default Trust View' adu...@ad-domain.com HTH, Flo. [1] https://pagure.io/freeipa/issue/3242 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How do you allow Active Directory Users to login to the webgui
So I'm testing a new freeipa 4.x setup that has a one-way trust to Active Directory. I have been able to define user groups to access the AD groups and configure the groups to work with HBAC rules. So my AD users are able to ssh into the client machines if HBAC allows them to. The issue I'm having is that I would like to allow the AD users to login to the webgui. I currently have the users in the defined in the ID views (Default Trust View). I'm only setting the Home Directory at present, should I add to the ID view? Thanks -- -- Do not meddle in the affairs of dragons cause you are crunchy and good with ketchup. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
