[Freeipa-users] External group membership
Dmitri Pal
dpal at redhat.com
Sat Apr 18 04:07:24 UTC 2015
On 04/17/2015 09:12 PM, Benjamen Keroack wrote:
> Hi,
>
> We have a number of local groups on our IPA-managed servers that we
> add LDAP/IPA users to. This works fine locally on the server on an ad
> hoc basis:
>
> $ usermod -a -G local-group test.user
>
> However I'm trying to do this as part of user provisioning in IPA via
> user groups. I've created external user groups in IPA, then added
> those external groups to the user groups that new users are added to
> via automember rules. For example:
>
> local-group [external] -> [is a member of] -> developers [IPA group]
>
> Then I SSH into one of the servers as a user who is a member of
> developers:
>
> test.user at qa$ groups
> test.user developers qa_users
>
> I do not see 'local-group' membership, even after restarting
> sssd/rebooting. Is it possible to achieve this kind of automatic local
> group membership? The only alternative I can see would be to write a
> SUID binary that .bash_profile runs on login to add them to the
> applicable groups, which seems like a bad hack.
>
> This is IPA 4.1.0 running on RHEL 7.1. Client servers are Ubuntu Trusty.
>
> Thanks for any help,
>
> --
> Benjamen Keroack
> /Infrastructure/DevOps Engineer/
> benjamen at dollarshaveclub.com <mailto:benjamen at dollarshaveclub.com>
>
>
>
It looks like you are looking for this:
https://fedorahosted.org/sssd/ticket/1591
It is on the roadmap for 1.13 alpha which should be out in couple months.
Would you be interested to test?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150418/d5523e26/attachment.htm>
More information about the Freeipa-users
mailing list