[Freeipa-users] Is WinSync A Bad Choice?

Alexander Bokovoy abokovoy at redhat.com
Thu Feb 2 08:16:06 UTC 2017 

On ke, 01 helmi 2017, Jason B. Nance wrote:
>>>> - User/group management in general becomes largely a command-line operation
>>> > (such as mapping groups so they can be used in HBAC and sudo rules)
>
>>> While this is a nice-to-have, it isn't a deal breaker.
>
>> This definitely exists in WebUI? Unless you mean something I don't understand.
>
>> Define groups:
>> Identity->User Groups (second tab)
>
>In my setup (FreeIPA 4.4.0 on CentOS 7) I don't see external users
>(users that are known via the trust with AD) under the "Users" tab.
>There is limited visibility / management of external groups and
>membership, but nothing that displays a list of available users/groups
>in AD when attempting to create/modify a user/group.
Not seeing AD users is the correct thing, you don't miss anything.

This topic comes regularly on the list. It is described in the Windows
integration guide, we discuss it here, you can look into archives, for
example:

https://www.redhat.com/archives/freeipa-users/2016-October/msg00083.html

IPA is not designed to give you ability to manage your AD users as if
they were in IPA -- you cannot create them there, you cannot list them
there. They are not and there is no need to pretend they are.

POSIX attributes for them can be managed in the ID overrides (in Default
Trust View). We are working on making possible to do self-service in web
UI for AD users themselves in upcoming releases. You can do 'self-service'
as an AD user in CLI already with 
  ipa idoverrideuser-mod "default trust view" your.account at ad.domain  [options]
but you currently cannot login as AD user to web UI. Also ID Override
needs to be pre-created by the IPA admin right now -- just do

  ipa idoverrideuser-add "default trust view" your.account at ad.domain



>> Define user mappings:
>> IPA Server -> ID Views -> Default Trust View
>
>By "mapping" I meant adding an AD group to a FreeIPA group (which can be used for HBAC/sudo) so that AD membership is known by IPA when applying the HBAC/sudo rules. For example:
>
>ipa group-add \
>--desc="lab.gen.zone 'Domain Admins' external map" \
>lgz_map_domain_admins \
>--external
>ipa group-add \
>--desc="lab.gen.zone 'Domain Admins' POSIX" \
>lgz_domain_admins
>ipa group-add-member \
>lgz_map_domain_admins \
>--external 'LAB\Domain Admins'
>ipa group-add-member \
>lgz_domain_admins \
>--groups lgz_map_domain_admins

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list