[Freeipa-users] FreeIPA ActiveDirectory Integration: Managing AD Users in IPA
Traiano Welcome
traiano at gmail.com
Sat Sep 20 21:25:45 UTC 2014
(belated response)
On Sun, Sep 14, 2014 at 12:10 AM, Dmitri Pal <dpal at redhat.com> wrote:
> On 09/13/2014 04:03 PM, Traiano Welcome wrote:
>
> Hi List
>
> Currently I have a stable trust relationship going between IPA and Windows
> AD. I create users and manage passwords in AD, but want to manage the rest
> in IPA, "the rest" being default shell, default home directory settings,
> RBAC, HBAC, Selinux etc ..
>
> What I'm expecting it to be able to log into the FreeIPA web interface,
> and see a synched list of users created in AD appear in the interface,
> after which I can modify the settings on a per user basis.
>
> If that level of granularity is not possible, I would then expect to be
> able to at least apply an IPA-imposed set of account defaults on and AD
> user group:
>
> - default shell
> - HBAC rules
> - Sudo rules
> - SELinux rules
> - RBAC
>
> Is this possible with FreeIPA? I can't find anything coherent in the
> documentation that describes an effective way of managing the POSIX
> attributes of AD users in FreeIPA.
>
> Thanks in advance!
> Traiano
>
>
>
>
>
> You are to some extent describing a feature that we call "views" that is
> currently in works.
> But there are two parts:
> a) Ability to overwrite POSIX attributes for AD users - this is views
> https://fedorahosted.org/freeipa/ticket/3318
> https://fedorahosted.org/freeipa/ticket/4509
>
This is exactly the feature I had in mind!
> b) Ability to apply policies to AD users. It is already possible.
> This is done via group membership.
> So you create a group in IPA, make AD group an external member of that
> group and then use that IPA group to apply HBAC, SUDO and SELinux rules.
>
>
For the interim, this seems to meet the need. Seems to work reliably in
tests as long as one keeps a spreadsheet of AD group mappings to IdM user
rights. Requires some coordination with the local AD administrator :-)
> As for RBAC what do you mean?
>
By RBAC, I mean to define linux server user "roles" with a certain profile
of sudo rights, selinux policies and host access rules which one could
apply to individual users without grouping them. Although, conceptually it
appears that there's little difference in using user groups to represent
the same type of "container" as a role would. However, I suppose the user
groups mechanism essentially achieves the same objective.
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140921/fcb55f9e/attachment.htm>
More information about the Freeipa-users
mailing list