[Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory
Chris Dagdigian
dag at sonsorol.org
Wed Oct 19 19:18:14 UTC 2016
Thanks to great tips and pointers from people on this list (h/t
Alexander B) I was able to build an IPA master + replica setup that can
recognize and allow logins from users coming from multiple disconnected
AD Forests with 1-way trusts to the IPA servers
Sanitized view of our AWS footprint:
AD Servers & IPA:
------------------------
AD Forest #1: company-test.org
AD Forest #2: company-aws.org
AD Forest #3: company.org
IPA Domain/Realm: company-ipa.org (successful 1-way trusts to
company-test.org and company-aws.org etc.)
With basic recognition of users and working SSH logins based on AD
username and passwords I'm moving on to trying to use the far more
interesting IPA/IDM features.
Using user accounts defined locally on the IPA server I'm having a blast
uploading SSH keys and creating sudo rules and groups. So the natural
next question is "can we do this for users who exist only in remote AD
controllers?
IPA is doing 100% of the UID/GID/Posix stuff management - we are only
pulling usernames & groups from AD and checking passwords against the AD
servers.
The basic question -- is it possible for me to get to "hybrid linux user
management" nirvana whereby IPA/IDM manages everything about AD users
except for their username and passwords?
Tried to find this in the official documentation but it dives instantly
into deep topics about user data mapping, custom schemas and dealing
with POSIX data served up by the AD controllers. Hard to figure out the
boundary between what IPA can support with local user accounts vs what
it can do when the users exist in remote AD forests.
Any URLs or documentation pointers would be appreciated
Regards,
Chris
More information about the Freeipa-users
mailing list