[Freeipa-devel] HBAC for AD users Active Directory trust setup
Alexander Bokovoy
abokovoy at redhat.com
Wed Oct 12 09:05:14 UTC 2016
On ke, 12 loka 2016, rajat gupta wrote:
>Hi,
>
>Normally HBAC for AD users should be done through an external group.
You should use freeipa-users@ mailing list for these questions.
And start with documentation:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html
>
>So for example if we have 500+ users on AD and only 100 user are
>administrator and they have Linux server access.
>
>I want to set the HBAC and sudo rules for users. So user have correct
>access server access and sudo rights and I am using the *Active Directory
>trust setup*
>
>In this case i need to add all of the 100 users on in Freeipa as external
>group.
>
>for example :- user1 user name in AD
>
>*user1-external* external group in IPA for trusted domain users
>*user1 :- *POSIX group for external
No, you don't need to do that. All you need to do is to create a group
on AD side where your users to access Linux systems would be added and
then add that group to the external group on IPA side.
>Do we have document for implementing the HBAC and Sudo Rules for external
>group.
See above documentation and discussions on freeipa-users@ mailing list.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list