Re: [Freeipa-users] Allow external AD users on webui
Sorry for the late reply, I've seen this on the mailing list a few times and wondered it myselfthis was my solution: IPA has an option to use RADIUS password, which you can also override the username. So for those users that are allowed to manage IPA, we have google-auth and freeradius gateways setup with a user-override. for example. jev...@ipa.example.com has radius user of jev...@ad.example.com I log into the webui with jev...@ipa.example.com with my password for jev...@ad.example.com (and in my case, I add my google auth OTP) Does this help? -Jake - Original Message - From: "Alexander Bokovoy" To: "Troels Hansen" Cc: "freeipa-users" Sent: Monday, October 31, 2016 3:59:36 AM Subject: Re: [Freeipa-users] Allow external AD users on webui On ma, 31 loka 2016, Troels Hansen wrote: >- On Oct 31, 2016, at 8:33 AM, Alexander Bokovoy aboko...@redhat.com wrote: > > >> You make it sound as if it is a done deal. It is not, there is a number >> of changes that yet not figured out how to do in an efficient way. >> >> It is in our pipeline for 4.5. It is understandable that people ask for >> this feature. It is also should be clear to you had it been a simple >> thing, it would have been implemented already. >> >> If you want to see a progress, subscribe to the ticket. > >Hi Alexander > >It was in no way a critics of the FreeIPA team. I'm well aware of the >work being out into this product from the core team, and appreciate >every new release, but also not really able to help much with the >development, only testing and feedback. That's why I asked you to subscribe to the ticket. Once the changes will be ready, you could help with testing them. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Allow external AD users on webui
On ma, 31 loka 2016, Troels Hansen wrote: - On Oct 31, 2016, at 8:33 AM, Alexander Bokovoy aboko...@redhat.com wrote: You make it sound as if it is a done deal. It is not, there is a number of changes that yet not figured out how to do in an efficient way. It is in our pipeline for 4.5. It is understandable that people ask for this feature. It is also should be clear to you had it been a simple thing, it would have been implemented already. If you want to see a progress, subscribe to the ticket. Hi Alexander It was in no way a critics of the FreeIPA team. I'm well aware of the work being out into this product from the core team, and appreciate every new release, but also not really able to help much with the development, only testing and feedback. That's why I asked you to subscribe to the ticket. Once the changes will be ready, you could help with testing them. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Allow external AD users on webui
- On Oct 31, 2016, at 8:33 AM, Alexander Bokovoy aboko...@redhat.com wrote: > You make it sound as if it is a done deal. It is not, there is a number > of changes that yet not figured out how to do in an efficient way. > > It is in our pipeline for 4.5. It is understandable that people ask for > this feature. It is also should be clear to you had it been a simple > thing, it would have been implemented already. > > If you want to see a progress, subscribe to the ticket. Hi Alexander It was in no way a critics of the FreeIPA team. I'm well aware of the work being out into this product from the core team, and appreciate every new release, but also not really able to help much with the development, only testing and feedback. I'm aware that this request isn't a simple change of structure, and the complexity of the product. Also, at the same time, a big thumbs up to the whole IPA team! Keep up the good work... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Allow external AD users on webui
On ma, 31 loka 2016, Troels Hansen wrote: Hi there After trying to add external usergroups from AD to allow (admin) users to log in to IPA webUI, by tdding the groups to toe local admin group and discovering that it didn't work, I found that as far as I can see, its currently not possibly, and fount this rather old ticket on the case: https://fedorahosted.org/freeipa/ticket/3242 I can see that its currently pushed for IPA 4.5 and that the required patch seems to have been made, but also that the request have been pushed for some time now. Is there and active plan for pushing this into the 4.5 release as I too would like to have this implemented and see this as a BIG missing feature that everyone have to log in as admin, or create local IPA users, to be able to log in to webui. You make it sound as if it is a done deal. It is not, there is a number of changes that yet not figured out how to do in an efficient way. It is in our pipeline for 4.5. It is understandable that people ask for this feature. It is also should be clear to you had it been a simple thing, it would have been implemented already. If you want to see a progress, subscribe to the ticket. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Allow external AD users on webui
Hi there After trying to add external usergroups from AD to allow (admin) users to log in to IPA webUI, by tdding the groups to toe local admin group and discovering that it didn't work, I found that as far as I can see, its currently not possibly, and fount this rather old ticket on the case: https://fedorahosted.org/freeipa/ticket/3242 I can see that its currently pushed for IPA 4.5 and that the required patch seems to have been made, but also that the request have been pushed for some time now. Is there and active plan for pushing this into the 4.5 release as I too would like to have this implemented and see this as a BIG missing feature that everyone have to log in as admin, or create local IPA users, to be able to log in to webui. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project