[Freeipa-users] No ad users in web gui
Alexander Bokovoy
abokovoy at redhat.com
Thu Dec 1 15:12:10 UTC 2016
Please keep freeipa-users@ in CC:
On to, 01 joulu 2016, Denis Müller wrote:
>Sorry, but i still do not understand how can i apply a single HAC-Rule
>to a single user. Editing a HBAC-Rule, there is no option to select an
>ad_user.
As I said, there wouldn't any. The concept is that you need to have a
real LDAP object to include into the HBAC or SUDO rule and that object
must be a POSIX user or group.
We cannot map AD user to POSIX user this way yet, only to POSIX groups,
so in the HBAC rule you need to use POSIX group to add instead of AD
user (or IPA user).
>
>[root at ipa01<mailto:root at ipa01> ~]# ipa group-show ad_users_external
> Gruppenname: ad_users_external
> Beschreibung: AD users external map
> Mitglied der Gruppen: ad_users
> Indirect Member of HBAC rule: ssh_rule
> External member: user1 at rto.de<mailto:akoch at bto.de>, user2 at rto.de<mailto:demueller at bto.de>
>
>
>
>[root at ipa01<mailto:root at ipa01> ~]# ipa hbacrule-add-user
>Regelname: ssh_rule
>[Mitglied Benutzer]: user1 at rto.de<mailto:demueller at bto.de>
>[Mitglied Gruppe]: ad_users_external
> Regelname: ssh_rule
> Aktiviert: TRUE
> Benutzergruppen: ad_users, ad_users_external
> Hosts: ipa-web.wop.bto.de
> Dienste: sshd
> Failed users/groups:
> Mitglied Benutzer: user1 at rto.de<mailto:demueller at bto.de>: no such entry
> Mitglied Gruppe:
>
>
>Am Donnerstag, den 01.12.2016, 16:12 +0200 schrieb Alexander Bokovoy:
>
>On to, 01 joulu 2016, Denis Müller wrote:
>
>
>Hello Alexander,
>
>thank you for reply. As i understand, working with ad users/groups works this way:
>
>ad_users => ad_users_external_group => ipa_users_group
>
>So i can manage ipa_users_group to provide Sudo Rules etc.
>
>But how can i provide rules to a single user? What would be the best way?
>
>
>The same way -- by specifying user as part of the external group.
>
>Check out this email, this topic is raised regularly:
>https://www.redhat.com/archives/freeipa-users/2016-October/msg00083.html
>
>
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list