[Freeipa-users] External (AD) groups and sudo/hbac in IPA 4.2
Robert Sturrock
rns at unimelb.edu.au
Wed Oct 12 04:23:51 UTC 2016
Hi All.
We’re attempting to setup an IPA (4.2) service on RHEL7.2 to provide better connectivity to our (large) organisational AD service for Linux clients.
We have setup IPA and configured a suitable AD trust (with SID POSIX mapping) in the hope that users will be able to access IPA resources (hosts, storage) using existing AD credentials and groups. This working fine - we can login to Linux hosts using AD credentials and see the AD groups.
However, it would appear that in order to use AD group membership as the basis for Linux HBAC or sudo, we need to firstly _map_ the AD groups to an equivalent IPA (POSIX) group? Is this correct?
I can see that it’s possible to define ‘external’ *users* (not groups) in some cases, but this function appears to be deprecated.
We have large numbers of groups in our AD (~50k), so obviously that’s a lot of mapping!
Regards,
Robert.
More information about the Freeipa-users
mailing list