[Freeipa-users] External group membership
Benjamen Keroack
benjamen at dollarshaveclub.com
Sat Apr 18 01:12:03 UTC 2015
Hi,
We have a number of local groups on our IPA-managed servers that we add
LDAP/IPA users to. This works fine locally on the server on an ad hoc basis:
$ usermod -a -G local-group test.user
However I'm trying to do this as part of user provisioning in IPA via user
groups. I've created external user groups in IPA, then added those external
groups to the user groups that new users are added to via automember rules.
For example:
local-group [external] -> [is a member of] -> developers [IPA group]
Then I SSH into one of the servers as a user who is a member of developers:
test.user at qa$ groups
test.user developers qa_users
I do not see 'local-group' membership, even after restarting
sssd/rebooting. Is it possible to achieve this kind of automatic local
group membership? The only alternative I can see would be to write a SUID
binary that .bash_profile runs on login to add them to the applicable
groups, which seems like a bad hack.
This is IPA 4.1.0 running on RHEL 7.1. Client servers are Ubuntu Trusty.
Thanks for any help,
--
Benjamen Keroack
*Infrastructure/DevOps Engineer*
benjamen at dollarshaveclub.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150417/6e02fb01/attachment.htm>
More information about the Freeipa-users
mailing list