[Freeipa-users] Adding user created in IPA to end machine group
Jakub Hrozek
jhrozek at redhat.com
Sun Aug 10 15:33:03 UTC 2014
On Sun, Aug 10, 2014 at 12:40:49AM -0400, Dmitri Pal wrote:
> On 07/25/2014 12:45 AM, Sanju A wrote:
> >Dear All,
> >
> >Centralized authentication is working fine and we have a requirement to
> >give privilege to users for configuring printer in their machines. For
> >local users, they will get the privilege by adding them to the local
> >printer group (lp or lpadmin group).
> >
> >Is there any way to add the user to the end machine printer group.
> You can't add central users to local groups.
> I am not familiar with printer configuration policies.
> Which systems are the clients? RHEL? Fedora? CentOS?
> In all these cases I suspect this would be done via policy kit policies so
> may be the way to go is to update policy to point to user's private group.
>
> I smell RFE here but probably for SSSD rather than IPA.
I suspect this should work already. My LDAP user (fetched via SSSD) is a
happy member of several local groups such as mock.
Just add him with the usual shadow-utils tools:
usermod -a -G $groupname $username
What is problematic is the other way around, that is, add a local user
to an LDAP group. Currently we can only do this for the RFC2307 schema,
not for RFC2307bis or its variants.
More information about the Freeipa-users
mailing list