[Freeipa-users] HBAC and AD users
Lachlan Musicman
datakid at gmail.com
Mon Jul 11 06:19:52 UTC 2016
Hola,
Centos 7, up to date.
[root at linuxidm ~]# ipa --version
VERSION: 4.2.0, API_VERSION: 2.156
One way trust is successfully established, can login with
ssh username at domain1.com@server1.domain2.com
Am testing to get HBAC to work.
I've noticed that with the Allow All rule in effect, the following set up
is sufficient:
add external group "ad_external"
add internal group, "ad_internal", add ad_external as a group member of
ad_internal
AD users can now successfully login to any server.
When I tried to set up an HBAC, I couldn't get that set up to work, I
needed to complete the extra step of adding AD users explicitly to the
"external member" group of the external group.
I also note that this seems to be explicitly user based, not group based?
IE, I can add lachlan at domain1.com to the external members of ad_external
and that works, but adding the group server_admins at domain1.com (as seen in
`id lachlan at domain1.com`) doesn't allow all members access.
Does that sound correct?
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160711/9b2fa9b2/attachment.htm>
More information about the Freeipa-users
mailing list