Hi folks,
Have an AWS footprint that thanks to FreeIPA can talk to a really
complex remote AD forest with lots of transitive trusts and child
domains. Would not be possible without FreeIPA in the mix.
So far we've only really been required to grant admin/sudo access and
we've done that individually with role based user and hostgroups
I'm comfortable with bringing an AD user into the fold:
1. Make a non-posix group in FreeIPA to hold the AD usernames
2. Make a second group of type=POSIX that inherits members from the
external non-posix group
3. Implement RBAC controls and rules via the posix group
4. magic!
Now I need to globally allow SSH and possibly other PAM service access
based on pre-existing AD group membership
Looking for guidance or URLs on how to manage RBAC controls based on AD
group rather than AD username.
Is it roughly the same (or exactly the same? )
- Make non-posix group that references the AD group in FreeIPA
- Make POSIX group in FreeIPA that inherits members of the non-posix group
- Implement RBAC rules?
Any tips or cheatsheets for allowing RBAC controls based on groups that
exist in AD would be appreciated. thanks!
Chris
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
