[Freeipa-users] Is WinSync A Bad Choice?
Jason B. Nance
jason at tresgeek.net
Wed Feb 1 23:06:22 UTC 2017
>>> - User/group management in general becomes largely a command-line operation
>> > (such as mapping groups so they can be used in HBAC and sudo rules)
>> While this is a nice-to-have, it isn't a deal breaker.
> This definitely exists in WebUI? Unless you mean something I don't understand.
> Define groups:
> Identity->User Groups (second tab)
In my setup (FreeIPA 4.4.0 on CentOS 7) I don't see external users (users that are known via the trust with AD) under the "Users" tab. There is limited visibility / management of external groups and membership, but nothing that displays a list of available users/groups in AD when attempting to create/modify a user/group.
> Define user mappings:
> IPA Server -> ID Views -> Default Trust View
By "mapping" I meant adding an AD group to a FreeIPA group (which can be used for HBAC/sudo) so that AD membership is known by IPA when applying the HBAC/sudo rules. For example:
ipa group-add \
--desc="lab.gen.zone 'Domain Admins' external map" \
lgz_map_domain_admins \
--external
ipa group-add \
--desc="lab.gen.zone 'Domain Admins' POSIX" \
lgz_domain_admins
ipa group-add-member \
lgz_map_domain_admins \
--external 'LAB\Domain Admins'
ipa group-add-member \
lgz_domain_admins \
--groups lgz_map_domain_admins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170201/4b873cb7/attachment.htm>
More information about the Freeipa-users
mailing list