[Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory
Alexander Bokovoy
abokovoy at redhat.com
Wed Oct 19 19:44:14 UTC 2016
On ke, 19 loka 2016, Chris Dagdigian wrote:
>Thanks to great tips and pointers from people on this list (h/t
>Alexander B) I was able to build an IPA master + replica setup that
>can recognize and allow logins from users coming from multiple
>disconnected AD Forests with 1-way trusts to the IPA servers
>
>Sanitized view of our AWS footprint:
>
>AD Servers & IPA:
>------------------------
>AD Forest #1: company-test.org
>AD Forest #2: company-aws.org
>AD Forest #3: company.org
>IPA Domain/Realm: company-ipa.org (successful 1-way trusts to
>company-test.org and company-aws.org etc.)
>
>With basic recognition of users and working SSH logins based on AD
>username and passwords I'm moving on to trying to use the far more
>interesting IPA/IDM features.
>
>Using user accounts defined locally on the IPA server I'm having a
>blast uploading SSH keys and creating sudo rules and groups. So the
>natural next question is "can we do this for users who exist only in
>remote AD controllers?
Yes, you can, by using ID views and ID overrides.
In FreeIPA < 4.4 you need admins to create and populate the overrides.
You can see how it works in this video:
https://www.youtube.com/watch?v=M_umNxB7rSM
Starting with FreeIPA 4.4 you only need to create override as IPA admin,
users can populate it with the use of IPA command line interface while
'kinit' as AD user:
$ kinit admin
$ ipa idoverrideuser-add 'Default Trust View' user at ad.domain
then AD user can do:
$ kinit user at AD.DOMAIN
$ ipa idoverrideuser-mod 'Default Trust View' user at ad.domain \
--sshpubkey=$(cat /path/to/my-ssh-key.pub)
There are access controls in place which don't allow to change things
like username (--login) or home directory in self-service. Practically,
AD users can maintain their public SSH keys and (starting with FreeIPA
4.4) attach public certificates to their ID overrides.
>IPA is doing 100% of the UID/GID/Posix stuff management - we are only
>pulling usernames & groups from AD and checking passwords against the
>AD servers.
>
>The basic question -- is it possible for me to get to "hybrid linux
>user management" nirvana whereby IPA/IDM manages everything about AD
>users except for their username and passwords?
See above.
>Tried to find this in the official documentation but it dives
>instantly into deep topics about user data mapping, custom schemas and
>dealing with POSIX data served up by the AD controllers. Hard to
>figure out the boundary between what IPA can support with local user
>accounts vs what it can do when the users exist in remote AD forests.
>
>Any URLs or documentation pointers would be appreciated
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#managing-id-views-in-ad
ID Views are the thing you need to deal with. FreeIPA 4.4 adds support
for 'self-service' for AD users in the command line. Versions before it
require IPA admins to handle ID overrides. No Web UI support for the
self-service yet.
FreeIPA 4.4 is what is available in RHEL 7.3 beta already.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list