[Freeipa-users] External group membership

Dmitri Pal dpal at redhat.com
Thu Apr 23 17:38:13 UTC 2015 

On 04/22/2015 01:21 PM, Benjamen Keroack wrote:
> Hi Dmitri,
>
> I'd be happy to test sssd 1.13 alpha. Is there any easy was to install 
> on Ubuntu, or do I need to pull and compile from source?

Fo alpha you probably would need to go from source, but once 1.13 
released the disrto owners do a great job of keeping up with the upstream.
Please watch for the announcements on the list.

>
> Thanks,
>
> On Fri, Apr 17, 2015 at 9:07 PM, Dmitri Pal <dpal at redhat.com 
> <mailto:dpal at redhat.com>> wrote:
>
>     On 04/17/2015 09:12 PM, Benjamen Keroack wrote:
>>     Hi,
>>
>>     We have a number of local groups on our IPA-managed servers that
>>     we add LDAP/IPA users to. This works fine locally on the server
>>     on an ad hoc basis:
>>
>>     $ usermod -a -G local-group test.user
>>
>>     However I'm trying to do this as part of user provisioning in IPA
>>     via user groups. I've created external user groups in IPA, then
>>     added those external groups to the user groups that new users are
>>     added to via automember rules. For example:
>>
>>     local-group [external] -> [is a member of] -> developers [IPA group]
>>
>>     Then I SSH into one of the servers as a user who is a member of
>>     developers:
>>
>>     test.user at qa$ groups
>>     test.user developers qa_users
>>
>>     I do not see 'local-group' membership, even after restarting
>>     sssd/rebooting. Is it possible to achieve this kind of automatic
>>     local group membership? The only alternative I can see would be
>>     to write a SUID binary that .bash_profile runs on login to add
>>     them to the applicable groups, which seems like a bad hack.
>>
>>     This is IPA 4.1.0 running on RHEL 7.1. Client servers are Ubuntu
>>     Trusty.
>>
>>     Thanks for any help,
>>
>>     -- 
>>     Benjamen Keroack
>>     /Infrastructure/DevOps Engineer/
>>     benjamen at dollarshaveclub.com <mailto:benjamen at dollarshaveclub.com>
>>
>>
>>
>
>     It looks like you are looking for this:
>     https://fedorahosted.org/sssd/ticket/1591
>     It is on the roadmap for 1.13 alpha which should be out in couple
>     months.
>     Would you be interested to test?
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager IdM portfolio
>     Red Hat, Inc.
>
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go to http://freeipa.org for more info on the project
>
>
>
>
> -- 
> Benjamen Keroack
> /Infrastructure/DevOps Engineer/
> benjamen at dollarshaveclub.com <mailto:benjamen at dollarshaveclub.com>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150423/1ac5ee9c/attachment.htm>

More information about the Freeipa-users mailing list