On 5/3/2020 9:19 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 5/2/20 2:18 PM, TomK via FreeIPA-users wrote:
> Hey All,
>
> Let's suppose I have two AD groups:
>
> unixadmin
> unixusers
>
> In FreeIPA, I would like to give unixadmin group access to ALL FreeIPA
> functions.
>
> Whereas for the unixusers, I would like to give R/O access.
>
> I've already done the group mappings from AD to FreeIPA.
>
> What is the best way to achieve this? I'm finding related links
> online but not quite what I'm looking for.
>
> I did a test to see if nesting the unixadmin group within the FreeIPA
> admins group would work but I still can't login to FreeIPA with my AD
> user, despite my ID residing in the unixadmin group which in turn is
> nested in the FreeIPA admins group.
>
> This is FreeIPA 4.6.4 .
>
Hi,
you can find more information in "Configuring and Managing Identity
Management" RHEL 8 book, especially in the chapters "Enabling AD users
to administer IdM" [1] and "WebUI login for Active DIrectory users" [2].
An AD user needs an id override to be able to login to the WebUI. With
this, he will have access to the self-service UI which provides only a
limited set of operations on his own account.
If the AD user is added to the admins group, he will get additional
privileges.
HTH,
flo
Thanks very much Flo!
--
Thx,
TK.