[Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user
Alexander Bokovoy
abokovoy at redhat.com
Fri Jun 10 10:43:42 UTC 2016
On Fri, 10 Jun 2016, Petr Vobornik wrote:
>On 06/09/2016 09:47 PM, Alexander Bokovoy wrote:
>> On Thu, 09 Jun 2016, Martin Basti wrote:
>>>
>>>
>>> On 09.06.2016 17:49, Martin Babinsky wrote:
>>>> On 06/06/2016 12:38 PM, Alexander Bokovoy wrote:
>>>>> Hi,
>>>>>
>>>>> In case an ID override was created for an Active Directory user in the
>>>>> default trust view, allow mapping the incoming GSSAPI authenticated
>>>>> connection to the ID override for this user.
>>>>>
>>>>> This allows to self-manage ID override parameters from the CLI, for
>>>>> example, SSH public keys or certificates. Admins can define what can be
>>>>> changed by the users via self-service permissions.
>>>>>
>>>>> Part of https://fedorahosted.org/freeipa/ticket/2149
>>>>>
>>>>>
>>>>>
>>>> ACK
>>>>
>>>
>>> Ticket for this is in 'Tickets Deferred' milestone and should be
>>> re-triaged before push
>> The ticket itself covers a far longer story and should stay in the
>> deferred bucket. However, this specific part of the implementation was
>> already discussed to be for 4.4. Don't pull the original ticket, as I'm
>> using it as a tracker.
>
>This ticket should be used for that:
>https://fedorahosted.org/freeipa/ticket/3242
I'm not sure. We have 2149 which came earlier (almost 5 years ago!) and
is properly describing what this is about.
Note that if you manually add ID Override record to the cn=admins group,
then AD users will indeed be able to manage IPA via CLI.
3242 is more UI related. UI part needs to be done as we have explicit
prevention for AD user logons right now.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list