[Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

[Alexander Bokovoy]

On ke, 19 loka 2016, Baird, Josh wrote:
>Hi,
>
>If I'm understanding you correctly - you will want to nest 'external' groups into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users.  There are examples of this in the IdM documentation, but the gist is:
>
>* Create an 'external' group in IPA (eg, ipa-group-add external_admins --external)
>* Add your AD group as a member to the external group (eg, ipa group-add-member external_admins --external 'AD\groupname)
>* Create a standard POSIX group in IPA (eg, ipa group-add admins)
>* Add the external group as a member to the POSIX group (eg, ipa-group-add-members admins --groups external_admins)
>
>Now you can define policy (HBAC, sudo) based on the 'admins' POSIX group and the policies will apply to the AD users in the AD\groupname group.
Correct -- for HBAC and SUDO rules this is the right procedure. See also
discussions on this list in last couple months, this topic was discussed
several times already.

For ID overrides (SSH public keys/homedir/etc) -- see my other email.


-- 
/ Alexander Bokovoy