On ma, 12 loka 2020, Chris Dagdigian via FreeIPA-users wrote:
Spoke too soon -- looks like FreeIPA 4.8.7 does not support the
'--idoverrideusers' stuff shown on that URL:
Usage: ipa [global-options] group-add-member GROUP-NAME [options]
$ ipa group-add-member admins --idoverrideusers <rest of command>
Usage: ipa [global-options] group-add-member GROUP-NAME [options]
ipa: error: no such option: --idoverrideusers
Neither the group-add-member or the role-add-member seem to support the
"--idoverrideuser" required to make this work.
Are the docs outdated or is my IPA version?
You need to be clear about your runtime environment.
FreeIPA 4.8.7+ is available in Fedora and RHEL 8.3 beta.
My understanding is that Ubuntu version does not support trust to Active
Directory due to linking issues with Heimdal in Ubuntu's version of
Samba.
In RHEL 8.2 the 'third-party' plugin that David talks about is installed
automatically when
dnf module install idm:DL1/trust
is done.
Since that modifies server side API, a client side API cache needs to
expire or be cleaned. E.g.
rm -rf ~/.cache/ipa/
needs to be done and then next run of 'ipa ...' CLI would re-acquire new
metadata for IPA API that should be able to show --idoverrideusers
command:
ipa group-add-member --help
Usage: ipa [global-options] group-add-member GROUP-NAME [options]
Add members to a group.
Options:
-h, --help show this help message and exit
--external=STR Members of a trusted domain in DOM\name or name@domain
form
--all Retrieve and print all attributes from the server.
Affects command output.
--raw Print entries as stored on the server. Only affects
output format.
--no-members Suppress processing of membership attributes.
--users=STR users to add
--groups=STR groups to add
--services=STR services to add
--idoverrideusers=STR
User ID overrides to add
Thanks!
Chris
> David Sastre <mailto:d.sastre.medina@gmail.com>
> October 12, 2020 at 2:10 PM
> Does this help?
>
>
https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-tru...
>
> Chris Dagdigian <mailto:dag@sonsorol.org>
> October 12, 2020 at 1:59 PM
> Hi folks,
>
> I've got a three-node replicating FreeIPA cluster running in AWS with a
> one-way trust to an Active Directory domain.
>
> Things work well with respect to user overrides and RBAC rules affecting
> client machines but I can't for the life of me figure out the order of
> operations for allowing a couple of external AD users to have admin
> access to the FreeIPA webUI itself.
>
> There are 3 AD users I'd like to give WebUI admin access to.
>
> So far I've tried the standard stuff I've used for non-IPA clients:
>
> 1) make group "corp_admins_external" populated with external
> "username(a)domain.com" identities
> 2) Make group "corp_admins_posix" populated with the
> corp_admins_external group
> 3) Added corp_admins_posix group to the admin group
>
> Best I've been able to do so far is give myself login access to just the
> user self-service page and even then that failed until
> oddjob-mkhomedir() was running and enabled under authconfig
>
> Is there a guide or a documentation set specific to granting admin
> access to the webUI for forms-based login users?
>
> Thanks!
>
> Chris
>
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland