David Sastre <mailto:d.sastre.medina@gmail.com> October 12, 2020 at 2:10 PM Does this help? https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-tru... Chris Dagdigian <mailto:dag@sonsorol.org> October 12, 2020 at 1:59 PM Hi folks, I've got a three-node replicating FreeIPA cluster running in AWS with a one-way trust to an Active Directory domain. Things work well with respect to user overrides and RBAC rules affecting client machines but I can't for the life of me figure out the order of operations for allowing a couple of external AD users to have admin access to the FreeIPA webUI itself. There are 3 AD users I'd like to give WebUI admin access to. So far I've tried the standard stuff I've used for non-IPA clients: 1) make group "corp_admins_external" populated with external &quot;username(a)domain.com&quot; identities 2) Make group "corp_admins_posix" populated with the corp_admins_external group 3) Added corp_admins_posix group to the admin group Best I've been able to do so far is give myself login access to just the user self-service page and even then that failed until oddjob-mkhomedir() was running and enabled under authconfig Is there a guide or a documentation set specific to granting admin access to the webUI for forms-based login users? Thanks! Chris

Spoke too soon -- looks like FreeIPA 4.8.7 does not support the '--idoverrideusers' stuff shown on that URL: Usage: ipa [global-options] group-add-member GROUP-NAME [options] $ ipa group-add-member admins --idoverrideusers <rest of command> Usage: ipa [global-options] group-add-member GROUP-NAME [options] ipa: error: no such option: --idoverrideusers Neither the group-add-member or the role-add-member seem to support the "--idoverrideuser" required to make this work. Are the docs outdated or is my IPA version? Thanks! Chris David Sastre <d.sastre.medina(a)gmail.com&gt; October 12, 2020 at 2:10 PM Does this help? https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-tru... Chris Dagdigian <dag(a)sonsorol.org&gt; October 12, 2020 at 1:59 PM Hi folks, I've got a three-node replicating FreeIPA cluster running in AWS with a one-way trust to an Active Directory domain. Things work well with respect to user overrides and RBAC rules affecting client machines but I can't for the life of me figure out the order of operations for allowing a couple of external AD users to have admin access to the FreeIPA webUI itself. There are 3 AD users I'd like to give WebUI admin access to. So far I've tried the standard stuff I've used for non-IPA clients: 1) make group "corp_admins_external" populated with external &quot;username(a)domain.com&quot; <username(a)domain.com&gt; identities 2) Make group "corp_admins_posix" populated with the corp_admins_external group 3) Added corp_admins_posix group to the admin group Best I've been able to do so far is give myself login access to just the user self-service page and even then that failed until oddjob-mkhomedir() was running and enabled under authconfig Is there a guide or a documentation set specific to granting admin access to the webUI for forms-based login users? Thanks! Chris

SELinux is preventing java from read access on the directory hsperfdata_pkiuser. *****  Plugin catchall (100. confidence) suggests ************************** If you believe that java should be allowed read access on the hsperfdata_pkiuser directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'java' --raw | audit2allow -M my-java # semodule -X 300 -i my-java.pp Additional Information: Source Context                system_u:system_r:tomcat_t:s0 Target Context                unconfined_u:object_r:user_tmp_t:s0 Target Objects                hsperfdata_pkiuser [ dir ] Source                        java Source Path                   java Port                          <Unknown> Host                          ipa001.ipa.XXX.com Source RPM Packages Target RPM Packages Policy RPM                    selinux-policy-3.14.3-41.el8_2.6.noarch Selinux Enabled               True Policy Type                   targeted Enforcing Mode                Enforcing Host Name                     ipa001.ipa.XXX.com Platform                      Linux ipa001.ipa.XXX.com                               4.18.0-193.19.1.el8_2.x86_64 #1 SMP Mon Sep 14                               14:37:00 UTC 2020 x86_64 x86_64 Alert Count                   22 First Seen                    2020-09-25 19:58:50 UTC Last Seen                     2020-10-12 19:30:57 UTC Local ID                      4bfba108-7f68-4ba5-b5dd-7c74575d31dc Raw Audit Messages type=AVC msg=audit(1602531057.835:299): avc:  denied  { read } for pid=4643 comm="java" name="hsperfdata_pkiuser" dev="nvme0n1p2" ino=138422434 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0

Alexander Bokovoy <mailto:abokovoy@redhat.com> October 12, 2020 at 3:23 PM On ma, 12 loka 2020, Chris Dagdigian via FreeIPA-users wrote: > Spoke too soon -- looks like FreeIPA 4.8.7 does not support the > '--idoverrideusers' stuff shown on that URL: > > Usage: ipa [global-options] group-add-member GROUP-NAME [options] > > > $ ipa group-add-member admins --idoverrideusers <rest of command> > Usage: ipa [global-options] group-add-member GROUP-NAME [options] > > ipa: error: no such option: --idoverrideusers > > > Neither the group-add-member or the role-add-member seem to support > the "--idoverrideuser" required to make this work. > > Are the docs outdated or is my IPA version? You need to be clear about your runtime environment. FreeIPA 4.8.7+ is available in Fedora and RHEL 8.3 beta. My understanding is that Ubuntu version does not support trust to Active Directory due to linking issues with Heimdal in Ubuntu's version of Samba. In RHEL 8.2 the 'third-party' plugin that David talks about is installed automatically when  dnf module install idm:DL1/trust is done. Since that modifies server side API, a client side API cache needs to expire or be cleaned. E.g.   rm -rf ~/.cache/ipa/ needs to be done and then next run of 'ipa ...' CLI would re-acquire new metadata for IPA API that should be able to show --idoverrideusers command: ipa group-add-member --help Usage: ipa [global-options] group-add-member GROUP-NAME [options] Add members to a group. Options:   -h, --help            show this help message and exit   --external=STR        Members of a trusted domain in DOM\name or name@domain                         form   --all                 Retrieve and print all attributes from the server.                         Affects command output.   --raw                 Print entries as stored on the server. Only affects                         output format.   --no-members          Suppress processing of membership attributes.   --users=STR           users to add   --groups=STR          groups to add   --services=STR        services to add   --idoverrideusers=STR                         User ID overrides to add > > Thanks! > > Chris > > > > David Sastre <mailto:d.sastre.medina@gmail.com> > > October 12, 2020 at 2:10 PM > > Does this help? > > > > https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-tru... > > > > Chris Dagdigian <mailto:dag@sonsorol.org> > > October 12, 2020 at 1:59 PM > > Hi folks, > > > I've got a three-node replicating FreeIPA cluster running in AWS > with a > one-way trust to an Active Directory domain. > > > Things work well with respect to user overrides and RBAC rules > affecting > client machines but I can't for the life of me figure out > the order of > operations for allowing a couple of external AD users > to have admin > access to the FreeIPA webUI itself. > > > There are 3 AD users I'd like to give WebUI admin access to. > > > So far I've tried the standard stuff I've used for non-IPA clients: > > > 1) make group "corp_admins_external" populated with external > > &quot;username(a)domain.com&quot; identities > > 2) Make group "corp_admins_posix" populated with the > > corp_admins_external group > > 3) Added corp_admins_posix group to the admin group > > > Best I've been able to do so far is give myself login access to > just the > user self-service page and even then that failed until > > oddjob-mkhomedir() was running and enabled under authconfig > > > Is there a guide or a documentation set specific to granting > admin > access to the webUI for forms-based login users? > > > Thanks! > > > Chris > > > Chris Dagdigian <mailto:dag@sonsorol.org> October 12, 2020 at 2:31 PM Spoke too soon -- looks like FreeIPA 4.8.7 does not support the '--idoverrideusers' stuff shown on that URL: Usage: ipa [global-options] group-add-member GROUP-NAME [options] $ ipa group-add-member admins --idoverrideusers <rest of command> Usage: ipa [global-options] group-add-member GROUP-NAME [options] ipa: error: no such option: --idoverrideusers Neither the group-add-member or the role-add-member seem to support the "--idoverrideuser" required to make this work. Are the docs outdated or is my IPA version? Thanks! Chris David Sastre <mailto:d.sastre.medina@gmail.com> October 12, 2020 at 2:10 PM Does this help? https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-tru... Chris Dagdigian <mailto:dag@sonsorol.org> October 12, 2020 at 1:59 PM Hi folks, I've got a three-node replicating FreeIPA cluster running in AWS with a one-way trust to an Active Directory domain. Things work well with respect to user overrides and RBAC rules affecting client machines but I can't for the life of me figure out the order of operations for allowing a couple of external AD users to have admin access to the FreeIPA webUI itself. There are 3 AD users I'd like to give WebUI admin access to. So far I've tried the standard stuff I've used for non-IPA clients: 1) make group "corp_admins_external" populated with external &quot;username(a)domain.com&quot; identities 2) Make group "corp_admins_posix" populated with the corp_admins_external group 3) Added corp_admins_posix group to the admin group Best I've been able to do so far is give myself login access to just the user self-service page and even then that failed until oddjob-mkhomedir() was running and enabled under authconfig Is there a guide or a documentation set specific to granting admin access to the webUI for forms-based login users? Thanks! Chris

Alexander Bokovoy <mailto:abokovoy@redhat.com> October 12, 2020 at 3:48 PM On ma, 12 loka 2020, Chris Dagdigian wrote: > Thanks Alexander (you've been helpful for *years* on this list, much > appreciated ...) > > Looks like my issue was being unfamiliar with the CentOS/RHEL 8 > "dnf" repo commands ... > > For CentOS 8 the specific command was: > > # dnf module install idm:DL1/adtrust > > And for what it's worth installing the new plugin seems to hang > forever if SELINUX is running and enabled; possibly because my order > of installation did not set things up so the proper SELINUX policies > could be set > > Thescriptlet: > ipa-healthcheck-0.4-4.module_el8.2.0+374+0d2d74a1.noarch hangs > forever during the "dnf module install idm:DL1/adtrust" until you run > these commands: > > # ausearch -c 'java' --raw | audit2allow -M my-java > # semodule -X 300 -i my-java.pp > > Out of paranoia I'm going to disable SELINUX while I test out > allowing AD users to manage IPA just in case any other internal > process or subsystem hits a SELINUX wall. Can you please share the exact selinux issues as reported by ausearch? It may well be inconsistency in CentOS 8.2 rebuilds, especially if you are trying to use CentOS Stream. If it is only hsperfdata_pkiuser AVC as below, then it shouldn't be a big deal and it shouldn't cause any serious issue. This can be ignored -- it is writing down profiling data that might be used by Java VM but can live without it. > > Regards > Chris > > > This was the sealert message: > > SELinux is preventing java from read access on the directory > > hsperfdata_pkiuser. > > > *****  Plugin catchall (100. confidence) suggests > > ************************** > > > If you believe that java should be allowed read access on the > > hsperfdata_pkiuser directory by default. > > Then you should report this as a bug. > > You can generate a local policy module to allow this access. > > Do > > allow this access for now by executing: > > # ausearch -c 'java' --raw | audit2allow -M my-java > > # semodule -X 300 -i my-java.pp > > > > Additional Information: > > Source Context               > system_u:system_r:tomcat_t:s0 > > Target Context               > unconfined_u:object_r:user_tmp_t:s0 > > Target Objects                hsperfdata_pkiuser [ > dir ] > > Source                        java > > Source Path                   java > > Port                         <Unknown> > > Host                         > ipa001.ipa.XXX.com > > Source RPM Packages > > Target RPM Packages > > Policy RPM                   > selinux-policy-3.14.3-41.el8_2.6.noarch > > Selinux Enabled               True > > Policy Type                   targeted > > Enforcing Mode                Enforcing > > Host Name                    ipa001.ipa.XXX.com > > Platform                      Linux > ipa001.ipa.XXX.com > >                              > 4.18.0-193.19.1.el8_2.x86_64 #1 SMP Mon > Sep 14 > >                              14:37:00 > UTC 2020 x86_64 x86_64 > > Alert Count                   22 > > First Seen                    2020-09-25 > 19:58:50 UTC > > Last Seen                     2020-10-12 > 19:30:57 UTC > > Local ID                     > 4bfba108-7f68-4ba5-b5dd-7c74575d31dc > > > Raw Audit Messages > > type=AVC msg=audit(1602531057.835:299): avc:  denied  { read } > for > pid=4643 comm="java" name="hsperfdata_pkiuser" dev="nvme0n1p2" > > ino=138422434 scontext=system_u:system_r:tomcat_t:s0 > > tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 > > > > > > > Alexander Bokovoy <mailto:abokovoy@redhat.com> > > October 12, 2020 at 3:23 PM > > On ma, 12 loka 2020, Chris Dagdigian via FreeIPA-users wrote: > > > Spoke too soon -- looks like FreeIPA 4.8.7 does not support the > > > '--idoverrideusers' stuff shown on that URL: > > > > > Usage: ipa [global-options] group-add-member GROUP-NAME > [options] > > > > > > > $ ipa group-add-member admins --idoverrideusers <rest of > command> > > > Usage: ipa [global-options] group-add-member GROUP-NAME [options] > > > > > ipa: error: no such option: --idoverrideusers > > > > > > > Neither the group-add-member or the role-add-member seem > to support > > the "--idoverrideuser" required to make this work. > > > > > Are the docs outdated or is my IPA version? > > > You need to be clear about your runtime environment. > > > FreeIPA 4.8.7+ is available in Fedora and RHEL 8.3 beta. > > > My understanding is that Ubuntu version does not support trust to > Active > > Directory due to linking issues with Heimdal in Ubuntu's version of > > Samba. > > > In RHEL 8.2 the 'third-party' plugin that David talks about is > installed > > automatically when > >  dnf module install idm:DL1/trust > > > is done. > > > Since that modifies server side API, a client side API cache > needs to > > expire or be cleaned. E.g. > > >   rm -rf ~/.cache/ipa/ > > > needs to be done and then next run of 'ipa ...' CLI would > re-acquire new > > metadata for IPA API that should be able to show --idoverrideusers > > command: > > > ipa group-add-member --help > > Usage: ipa [global-options] group-add-member GROUP-NAME [options] > > > Add members to a group. > > Options: > >   -h, --help            show this help message and exit > >   --external=STR        Members of a trusted domain in > DOM\name or > name@domain > >                         form > >   --all                 Retrieve and print all > attributes from the > server. > >                         Affects command output. > >   --raw                 Print entries as stored on > the server. Only > affects > >                         output format. > >   --no-members          Suppress processing of membership > attributes. > >   --users=STR           users to add > >   --groups=STR          groups to add > >   --services=STR        services to add > >   --idoverrideusers=STR > >                         User ID overrides to > add > > > > > > > Thanks! > > > > > Chris > > > > > > > > David Sastre <mailto:d.sastre.medina@gmail.com> > > > > October 12, 2020 at 2:10 PM > > > > Does this help? > > > > > > https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-tru... > > > > > > > > Chris Dagdigian <mailto:dag@sonsorol.org> > > > > October 12, 2020 at 1:59 PM > > > > Hi folks, > > > > > I've got a three-node replicating FreeIPA cluster running in > AWS > > with a > one-way trust to an Active Directory domain. > > > > > Things work well with respect to user overrides and RBAC > rules > > affecting > client machines but I can't for the life of me > figure > > out the order of > operations for allowing a couple of > external AD > > users to have admin > access to the FreeIPA webUI > itself. > > > > > There are 3 AD users I'd like to give WebUI admin access to. > > > > > So far I've tried the standard stuff I've used for non-IPA > clients: > > > > > 1) make group "corp_admins_external" populated with external > > > > &quot;username(a)domain.com&quot; identities > > > > 2) Make group "corp_admins_posix" populated with the > > > > corp_admins_external group > > > > 3) Added corp_admins_posix group to the admin group > > > > > Best I've been able to do so far is give myself login access > to > > just the > user self-service page and even then that failed > until > > > oddjob-mkhomedir() was running and enabled under authconfig > > > > > Is there a guide or a documentation set specific to granting > > > admin > access to the webUI for forms-based login users? > > > > > Thanks! > > > > > Chris > > > > > > > > > > > Chris Dagdigian <mailto:dag@sonsorol.org> > > October 12, 2020 at 2:31 PM > > Spoke too soon -- looks like FreeIPA 4.8.7 does not support the > > '--idoverrideusers' stuff shown on that URL: > > > Usage: ipa [global-options] group-add-member GROUP-NAME [options] > > > > $ ipa group-add-member admins --idoverrideusers <rest of command> > > Usage: ipa [global-options] group-add-member GROUP-NAME [options] > > > ipa: error: no such option: --idoverrideusers > > > > Neither the group-add-member or the role-add-member seem to > support the > "--idoverrideuser" required to make this work. > > > Are the docs outdated or is my IPA version? > > > Thanks! > > > Chris > > > > > David Sastre <mailto:d.sastre.medina@gmail.com> > > October 12, 2020 at 2:10 PM > > Does this help? > > > > https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-tru... > > > > Chris Dagdigian <mailto:dag@sonsorol.org> > > October 12, 2020 at 1:59 PM > > Hi folks, > > > I've got a three-node replicating FreeIPA cluster running in AWS > with a > one-way trust to an Active Directory domain. > > > Things work well with respect to user overrides and RBAC rules > affecting > client machines but I can't for the life of me figure out > the order of > operations for allowing a couple of external AD users > to have admin > access to the FreeIPA webUI itself. > > > There are 3 AD users I'd like to give WebUI admin access to. > > > So far I've tried the standard stuff I've used for non-IPA clients: > > > 1) make group "corp_admins_external" populated with external > > &quot;username(a)domain.com&quot; identities > > 2) Make group "corp_admins_posix" populated with the > > corp_admins_external group > > 3) Added corp_admins_posix group to the admin group > > > Best I've been able to do so far is give myself login access to > just the > user self-service page and even then that failed until > > oddjob-mkhomedir() was running and enabled under authconfig > > > Is there a guide or a documentation set specific to granting > admin > access to the webUI for forms-based login users? > > > Thanks! > > > Chris > > > Chris Dagdigian <mailto:dag@sonsorol.org> October 12, 2020 at 3:35 PM Thanks Alexander (you've been helpful for *years* on this list, much appreciated ...) Looks like my issue was being unfamiliar with the CentOS/RHEL 8  "dnf" repo commands ... For CentOS 8 the specific command was: # dnf module install idm:DL1/adtrust And for what it's worth installing the new plugin seems to hang forever if SELINUX is running and enabled; possibly because my order of installation did not set things up so the proper SELINUX policies could be set Thescriptlet: ipa-healthcheck-0.4-4.module_el8.2.0+374+0d2d74a1.noarch  hangs forever during the "dnf module install idm:DL1/adtrust" until you run these commands: # ausearch -c 'java' --raw | audit2allow -M my-java # semodule -X 300 -i my-java.pp Out of paranoia I'm going to disable SELINUX while I test out allowing AD users to manage IPA just in case any other internal process or subsystem hits a SELINUX wall. Regards Chris This was the sealert message: > SELinux is preventing java from read access on the directory > hsperfdata_pkiuser. > > *****  Plugin catchall (100. confidence) suggests > ************************** > > If you believe that java should be allowed read access on the > hsperfdata_pkiuser directory by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # ausearch -c 'java' --raw | audit2allow -M my-java > # semodule -X 300 -i my-java.pp > > > Additional Information: > Source Context                system_u:system_r:tomcat_t:s0 > Target Context                unconfined_u:object_r:user_tmp_t:s0 > Target Objects                hsperfdata_pkiuser [ dir ] > Source                        java > Source Path                   java > Port                          <Unknown> > Host                          ipa001.ipa.XXX.com > Source RPM Packages > Target RPM Packages > Policy RPM                    selinux-policy-3.14.3-41.el8_2.6.noarch > Selinux Enabled               True > Policy Type                   targeted > Enforcing Mode                Enforcing > Host Name                     ipa001.ipa.XXX.com > Platform                      Linux ipa001.ipa.XXX.com >                               4.18.0-193.19.1.el8_2.x86_64 #1 SMP Mon > Sep 14 >                               14:37:00 UTC 2020 x86_64 x86_64 > Alert Count                   22 > First Seen                    2020-09-25 19:58:50 UTC > Last Seen                     2020-10-12 19:30:57 UTC > Local ID                      4bfba108-7f68-4ba5-b5dd-7c74575d31dc > > Raw Audit Messages > type=AVC msg=audit(1602531057.835:299): avc:  denied  { read } for > pid=4643 comm="java" name="hsperfdata_pkiuser" dev="nvme0n1p2" > ino=138422434 scontext=system_u:system_r:tomcat_t:s0 > tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 > Alexander Bokovoy <mailto:abokovoy@redhat.com> > October 12, 2020 at 3:23 PM > On ma, 12 loka 2020, Chris Dagdigian via FreeIPA-users wrote: >> Spoke too soon -- looks like FreeIPA 4.8.7 does not support the >> '--idoverrideusers' stuff shown on that URL: >> >> Usage: ipa [global-options] group-add-member GROUP-NAME [options] >> >> >> $ ipa group-add-member admins --idoverrideusers <rest of command> >> Usage: ipa [global-options] group-add-member GROUP-NAME [options] >> >> ipa: error: no such option: --idoverrideusers >> >> >> Neither the group-add-member or the role-add-member seem to support >> the "--idoverrideuser" required to make this work. >> >> Are the docs outdated or is my IPA version? > > You need to be clear about your runtime environment. > > FreeIPA 4.8.7+ is available in Fedora and RHEL 8.3 beta. > > My understanding is that Ubuntu version does not support trust to Active > Directory due to linking issues with Heimdal in Ubuntu's version of > Samba. > > In RHEL 8.2 the 'third-party' plugin that David talks about is installed > automatically when >  dnf module install idm:DL1/trust > > is done. > > Since that modifies server side API, a client side API cache needs to > expire or be cleaned. E.g. > >   rm -rf ~/.cache/ipa/ > > needs to be done and then next run of 'ipa ...' CLI would re-acquire new > metadata for IPA API that should be able to show --idoverrideusers > command: > > ipa group-add-member --help > Usage: ipa [global-options] group-add-member GROUP-NAME [options] > > Add members to a group. > Options: >   -h, --help            show this help message and exit >   --external=STR        Members of a trusted domain in DOM\name or > name@domain >                         form >   --all                 Retrieve and print all attributes from the > server. >                         Affects command output. >   --raw                 Print entries as stored on the server. Only > affects >                         output format. >   --no-members          Suppress processing of membership attributes. >   --users=STR           users to add >   --groups=STR          groups to add >   --services=STR        services to add >   --idoverrideusers=STR >                         User ID overrides to add > > >> >> Thanks! >> >> Chris >> >> >> > David Sastre <mailto:d.sastre.medina@gmail.com> >> > October 12, 2020 at 2:10 PM >> > Does this help? >> > > >> https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-tru... >> >> > > Chris Dagdigian <mailto:dag@sonsorol.org> >> > October 12, 2020 at 1:59 PM >> > Hi folks, >> > > I've got a three-node replicating FreeIPA cluster running in AWS >> with a > one-way trust to an Active Directory domain. >> > > Things work well with respect to user overrides and RBAC rules >> affecting > client machines but I can't for the life of me figure >> out the order of > operations for allowing a couple of external AD >> users to have admin > access to the FreeIPA webUI itself. >> > > There are 3 AD users I'd like to give WebUI admin access to. >> > > So far I've tried the standard stuff I've used for non-IPA clients: >> > > 1) make group "corp_admins_external" populated with external > >> &quot;username(a)domain.com&quot; identities >> > 2) Make group "corp_admins_posix" populated with the > >> corp_admins_external group >> > 3) Added corp_admins_posix group to the admin group >> > > Best I've been able to do so far is give myself login access to >> just the > user self-service page and even then that failed until > >> oddjob-mkhomedir() was running and enabled under authconfig >> > > Is there a guide or a documentation set specific to granting >> admin > access to the webUI for forms-based login users? >> > > Thanks! >> > > Chris >> > > > > > > > Chris Dagdigian <mailto:dag@sonsorol.org> > October 12, 2020 at 2:31 PM > Spoke too soon -- looks like FreeIPA 4.8.7 does not support the > '--idoverrideusers' stuff shown on that URL: > > Usage: ipa [global-options] group-add-member GROUP-NAME [options] > > > $ ipa group-add-member admins --idoverrideusers <rest of command> > Usage: ipa [global-options] group-add-member GROUP-NAME [options] > > ipa: error: no such option: --idoverrideusers > > > Neither the group-add-member or the role-add-member seem to support > the "--idoverrideuser" required to make this work. > > Are the docs outdated or is my IPA version? > > Thanks! > > Chris > > > > David Sastre <mailto:d.sastre.medina@gmail.com> > October 12, 2020 at 2:10 PM > Does this help? > > https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-tru... > > Chris Dagdigian <mailto:dag@sonsorol.org> > October 12, 2020 at 1:59 PM > Hi folks, > > I've got a three-node replicating FreeIPA cluster running in AWS with > a one-way trust to an Active Directory domain. > > Things work well with respect to user overrides and RBAC rules > affecting client machines but I can't for the life of me figure out > the order of operations for allowing a couple of external AD users to > have admin access to the FreeIPA webUI itself. > > There are 3 AD users I'd like to give WebUI admin access to. > > So far I've tried the standard stuff I've used for non-IPA clients: > > 1) make group "corp_admins_external" populated with external > &quot;username(a)domain.com&quot; identities > 2) Make group "corp_admins_posix" populated with the > corp_admins_external group > 3) Added corp_admins_posix group to the admin group > > Best I've been able to do so far is give myself login access to just > the user self-service page and even then that failed until > oddjob-mkhomedir() was running and enabled under authconfig > > Is there a guide or a documentation set specific to granting admin > access to the webUI for forms-based login users? > > Thanks! > > Chris > > Alexander Bokovoy <mailto:abokovoy@redhat.com> October 12, 2020 at 3:23 PM On ma, 12 loka 2020, Chris Dagdigian via FreeIPA-users wrote: > Spoke too soon -- looks like FreeIPA 4.8.7 does not support the > '--idoverrideusers' stuff shown on that URL: > > Usage: ipa [global-options] group-add-member GROUP-NAME [options] > > > $ ipa group-add-member admins --idoverrideusers <rest of command> > Usage: ipa [global-options] group-add-member GROUP-NAME [options] > > ipa: error: no such option: --idoverrideusers > > > Neither the group-add-member or the role-add-member seem to support > the "--idoverrideuser" required to make this work. > > Are the docs outdated or is my IPA version? You need to be clear about your runtime environment. FreeIPA 4.8.7+ is available in Fedora and RHEL 8.3 beta. My understanding is that Ubuntu version does not support trust to Active Directory due to linking issues with Heimdal in Ubuntu's version of Samba. In RHEL 8.2 the 'third-party' plugin that David talks about is installed automatically when  dnf module install idm:DL1/trust is done. Since that modifies server side API, a client side API cache needs to expire or be cleaned. E.g.   rm -rf ~/.cache/ipa/ needs to be done and then next run of 'ipa ...' CLI would re-acquire new metadata for IPA API that should be able to show --idoverrideusers command: ipa group-add-member --help Usage: ipa [global-options] group-add-member GROUP-NAME [options] Add members to a group. Options:   -h, --help            show this help message and exit   --external=STR        Members of a trusted domain in DOM\name or name@domain                         form   --all                 Retrieve and print all attributes from the server.                         Affects command output.   --raw                 Print entries as stored on the server. Only affects                         output format.   --no-members          Suppress processing of membership attributes.   --users=STR           users to add   --groups=STR          groups to add   --services=STR        services to add   --idoverrideusers=STR                         User ID overrides to add > > Thanks! > > Chris > > > > David Sastre <mailto:d.sastre.medina@gmail.com> > > October 12, 2020 at 2:10 PM > > Does this help? > > > > https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-tru... > > > > Chris Dagdigian <mailto:dag@sonsorol.org> > > October 12, 2020 at 1:59 PM > > Hi folks, > > > I've got a three-node replicating FreeIPA cluster running in AWS > with a > one-way trust to an Active Directory domain. > > > Things work well with respect to user overrides and RBAC rules > affecting > client machines but I can't for the life of me figure out > the order of > operations for allowing a couple of external AD users > to have admin > access to the FreeIPA webUI itself. > > > There are 3 AD users I'd like to give WebUI admin access to. > > > So far I've tried the standard stuff I've used for non-IPA clients: > > > 1) make group "corp_admins_external" populated with external > > &quot;username(a)domain.com&quot; identities > > 2) Make group "corp_admins_posix" populated with the > > corp_admins_external group > > 3) Added corp_admins_posix group to the admin group > > > Best I've been able to do so far is give myself login access to > just the > user self-service page and even then that failed until > > oddjob-mkhomedir() was running and enabled under authconfig > > > Is there a guide or a documentation set specific to granting > admin > access to the webUI for forms-based login users? > > > Thanks! > > > Chris > > > Chris Dagdigian <mailto:dag@sonsorol.org> October 12, 2020 at 2:31 PM Spoke too soon -- looks like FreeIPA 4.8.7 does not support the '--idoverrideusers' stuff shown on that URL: Usage: ipa [global-options] group-add-member GROUP-NAME [options] $ ipa group-add-member admins --idoverrideusers <rest of command> Usage: ipa [global-options] group-add-member GROUP-NAME [options] ipa: error: no such option: --idoverrideusers Neither the group-add-member or the role-add-member seem to support the "--idoverrideuser" required to make this work. Are the docs outdated or is my IPA version? Thanks! Chris David Sastre <mailto:d.sastre.medina@gmail.com> October 12, 2020 at 2:10 PM Does this help? https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-tru...