[Freeipa-users] FreeIPA ActiveDirectory Integration: Managing AD Users in IPA
Dmitri Pal
dpal at redhat.com
Sat Sep 13 21:10:00 UTC 2014
On 09/13/2014 04:03 PM, Traiano Welcome wrote:
> Hi List
> Currently I have a stable trust relationship going between IPA and
> Windows AD. I create users and manage passwords in AD, but want to
> manage the rest in IPA, "the rest" being default shell, default home
> directory settings, RBAC, HBAC, Selinux etc ..
> What I'm expecting it to be able to log into the FreeIPA web
> interface, and see a synched list of users created in AD appear in the
> interface, after which I can modify the settings on a per user basis.
> If that level of granularity is not possible, I would then expect to
> be able to at least apply an IPA-imposed set of account defaults
> on and AD user group:
> - default shell
> - HBAC rules
> - Sudo rules
> - SELinux rules
> - RBAC
> Is this possible with FreeIPA? I can't find anything coherent in the
> documentation that describes an effective way of managing the POSIX
> attributes of AD users in FreeIPA.
> Thanks in advance!
> Traiano
>
>
You are to some extent describing a feature that we call "views" that is
currently in works.
But there are two parts:
a) Ability to overwrite POSIX attributes for AD users - this is views
https://fedorahosted.org/freeipa/ticket/3318
https://fedorahosted.org/freeipa/ticket/4509
b) Ability to apply policies to AD users. It is already possible.
This is done via group membership.
So you create a group in IPA, make AD group an external member of that
group and then use that IPA group to apply HBAC, SUDO and SELinux rules.
As for RBAC what do you mean?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140913/d7c32ded/attachment.htm>
More information about the Freeipa-users
mailing list