[Freeipa-users] Re: Users and Admin access for AD Accounts

On 5/2/20 2:18 PM, TomK via FreeIPA-users wrote: > Hey All, > > Let's suppose I have two AD groups: > > unixadmin > unixusers > > In FreeIPA, I would like to give unixadmin group access to ALL FreeIPA > functions. > > Whereas for the unixusers, I would like to give R/O access. > > I've already done the group mappings from AD to FreeIPA. > > What is the best way to achieve this?  I'm finding related links > online but not quite what I'm looking for. > > I did a test to see if nesting the unixadmin group within the FreeIPA > admins group would work but I still can't login to FreeIPA with my AD > user, despite my ID residing in the unixadmin group which in turn is > nested in the FreeIPA admins group. > > This is FreeIPA 4.6.4 . > Hi, you can find more information in "Configuring and Managing Identity Management" RHEL 8 book, especially in the chapters "Enabling AD users to administer IdM" [1] and "WebUI login for Active DIrectory users" [2]. An AD user needs an id override to be able to login to the WebUI. With this, he will have access to the self-service UI which provides only a limited set of operations on his own account. If the AD user is added to the admins group, he will get additional privileges. HTH, flo

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...