[Freeipa-users] Fwd: Re: FreeIPA en Domain Trust
Jakub Hrozek
jhrozek at redhat.com
Mon Nov 23 15:50:22 UTC 2015
On Mon, Nov 23, 2015 at 04:43:11PM +0100, Winfried de Heiden wrote:
> Hi all,
>
> One motivation: the customer demands like this...
Yes, but why? It doesn't make sense to me..
> Also: ignore Windows specific group info which is not important for the
> Linux domain
> Also: too much groups!
>
> If it's a sssd thing, this might be solved on the IPA-server as well since
> getting the AD group info is handles by sssd on the IPA-server, right?
> Anyway: how to handle this issue?
Can't be done at the moment short of blacklisting each and every group
using filter_groups or min_id/max_id ranges. Both are hacks that should
be avoided, though..
The reason is that the trusted domain configuration on the SSSD side is
more or less always using defaults and things like search bases can't be
set for the subdomain at the moment.
>
> Kind regards,
>
> Winny
> Op 23-11-15 om 10:54 schreef Martin Kosek:
>
> On 11/23/2015 10:50 AM, Winfried de Heiden wrote:
>
> Hi all,
>
> For some reason, we only want to use the Active Directory user from an Active
> Directory using a Trust. (groups like "Domain Users" are of no use...)
>
> Is it possible to ignore (hide) ALL groups from a particular Domain (trust)/
>
> Kinds Regards,
>
> Winny
>
> This looks as a question for the client part (SSSD). I do not fully understand
> the use case, you want to allow AD user to authenticate to Linux box, but you
> do not want the Linux box to see any of the AD groups? What is the motivation,
> if I may ask?
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list