[Freeipa-users] Sudo rules w/ external users (RHEL7)
Gould, Joshua
Joshua.Gould at osumc.edu
Mon Apr 13 15:59:28 UTC 2015
On 4/13/15, 11:37 AM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:
>Through external users' groups mechanism we use for any other AD users
>mapping in HBAC and SUDO. These are not local (not defined in IPA but
>defined on the host) groups and users but rather AD groups and users.
>
>ipa group-add --external gould_group_ext
>ipa group-add-member gould_group_ext --external=gould at test.osuwmc
>ipa group-add gould_group
>ipa group-add-member gould_group --groups=gould_group_ext
>
>And now make sudo rule that allows users of gould_group to run needed
>commands. SSSD will pull in all membership information for gould_group,
>including AD users.
Just curious, but if we don¹t plan on using any IPA native users, could
you skip the last two commands and add gould_group_ext to the sudo rule?
I¹ve seen this same basic example used for HBAC, but it never was clear to
me why the IPA group needed to be added if you¹re only concerned with AD
users? Does it need to be added or do the examples include the IPA group
because they assume that you¹ll be wanting to use a mix of AD and IPA
users for HBAC and sudo?
Joshua
More information about the Freeipa-users
mailing list