Perfect. The example has been very clear.
Thank you very much!
Regards,
Daniele
On 30 January 2018 at 11:00, Alexander Bokovoy <abokovoy(a)redhat.com> wrote:
> On ti, 30 tammi 2018, Daniele Liciotti via FreeIPA-users wrote:
>>
>> Hi,
>>
>> I have connected my FreeIPA server with an AD in trust. Is it possible
>> to assign special permissions (sudo) to some AD users? I noticed that
>> the policies can only be set to AD group.
>
> Policies can only be assigned to POSIX users/groups. Thus, if you have
> AD users or groups mapped to POSIX groups, you can get it working.
>
> Add posix group:
> ipa group-add foo
>
> Add an external, non-POSIX group:
> ipa group-add --external foo_external
>
> Add an external user to an external group:
> ipa group-add-member foo_external --external user(a)ad.domain
>
> The member you add can be anything IPA could resolve into a SID, so a
> user or a group from a trusted AD domain.
>
> Add this external group to a POSIX group as a member:
> ipa group-add-member foo --groups=foo_external
>
> Then use the POSIX 'foo' group in your sudo rules.
> --
> / Alexander Bokovoy