[Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

[Chris Dagdigian]

Perfect thank you. I tend to get too wordy in my emails. You've 
described exactly what I'm going for.

Follow up question - Will a similar approach work for users (not groups) 
as well if there is a small collection of AD-defined people I want to 
hold and distribute SSH public keys for?

Happy to document our setup or write up a HowTO or intro guide for other 
novices if we are trying something that is not often done.

Regards,
Chris


Baird, Josh wrote:
> Hi,
>
> If I'm understanding you correctly - you will want to nest 'external' groups into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users.  There are examples of this in the IdM documentation, but the gist is:
>
> * Create an 'external' group in IPA (eg, ipa-group-add external_admins --external)
> * Add your AD group as a member to the external group (eg, ipa group-add-member external_admins --external 'AD\groupname)
> * Create a standard POSIX group in IPA (eg, ipa group-add admins)
> * Add the external group as a member to the POSIX group (eg, ipa-group-add-members admins --groups external_admins)
>
> Now you can define policy (HBAC, sudo) based on the 'admins' POSIX group and the policies will apply to the AD users in the AD\groupname group.
>
> Hope this helps.
>
> Thanks,
>
> Jos