[Freeipa-users] about AD trusts and passthrough authentication
Alexander Bokovoy
abokovoy at redhat.com
Mon Aug 11 20:08:11 UTC 2014
On Mon, 11 Aug 2014, Daniel Shown wrote:
>I'm fairly new to FreeIPA, so can someone give me a sanity check? Should I
>be able to map AD users in an AD trust to to corresponding FreeIPA users?
>i.e. Users can auth with their AD credentials and get a FreeIPA uidnumber,
>gidnumber, home, etc.?
Users from a trusted forest are treated as separate users. They have
their own identities and get IDs from either Active Directory (if POSIX
compatibility is enabled at AD) or from special ID range allocated for
them in IPA.
You can include these users (and groups, it doesn't matter what is what)
into special type of groups in IPA, called "external" groups. These
groups, in turn, can be members of existing POSIX groups from IPA. If
done so, your AD users will become members of appropriate POSIX groups
from IPA by means of nested membership.
These POSIX groups then can be used to apply SUDO or HBAC rules against
AD users.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list