[Freeipa-users] Easier management of trusted AD users from web UI
Alexander Bokovoy
abokovoy at redhat.com
Mon May 15 06:04:01 UTC 2017
On su, 14 touko 2017, Patrick Hemmer wrote:
>I'm exploring using AD trusts, and am trying to find a good way to get
>better management of trusted objects within FreeIPA.
>
>One example, I add an AD user to an external group, and then add that
>group to a POSIX group. When I want to view all the members of the POSIX
>group, I can only see the native FreeIPA users. I have to manually go
>into each nested group, and view all the external members to determine
>who is in the top group. But from the command line a `getent group FOO`
>shows nested members fine.
This is due to how AD users represented in IPA. They aren't real LDAP
objects so membership plugin is not creating backlinks between groups
and their members. Resolution of external members happens at the place
which evaluates them, e.g. SSSD or an HBAC test tool.
>Another example, I see an external user in a group, and I want more
>information about this user. Their name, department, etc. I can't get
>it. I have to go into AD to find out who this user is. It would be nice
>if I could see this info from within FreeIPA.
Yes, you need to go to the place where this user is defined, e.g. Active
Directory. We do not maintain information about AD users that belongs to
AD. You can only manage overrides for them and even that is optional if
you are using POSIX attributes in AD LDAP.
>Or if I want to add an external user to a group, I have to know that
>user's exact AD logon name. If I only have their real name, or other
>information, I can't search for them and then add them to the group.
Sorry, that's not possible. We are able to address users only by their
samAccountName, their UPN, or directly by their SID. The rest is not
possible to retrieve in general case when there are more than one domain
in AD forest arranged in a complex topology. Their other properties
aren't guaranteed to be defined or unique.
>Is there any way to make these types of management tasks simpler? If
>not, is such a thing on the road map?
No for both, so far.
>Or as an alternative, is it possible to use the winsync plugin to pull
>users from AD, but whenever such a user tries to authenticate, the
>authentication is performed against AD? So that FreeIPA is used for
>authorization, but not authentication?
No, this is not possible.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list