On ke, 26 syys 2018, Peter Tselios via FreeIPA-users wrote:
This needs to be in the IdM documentation...
This *is already*
in the documentation, just in a separate book to what
you are look at. We have two books:
- "Linux domain identity, authentication, and policy guide"
- "Windows integration guide"
The latter has explanation about external groups and how they are used
for IdM policies:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
5.1.3.3. Active Directory Users and IdM Policies and Configuration
Several IdM policy definitions, such as SELinux, host-based access
control, sudo, and netgroups, rely on user groups to identify how the
policies are applied.
Active Directory users are external to the IdM domain, but they can
still be added as group members to IdM groups, as long as those groups
are configured as external groups described in Section 5.1.3.2, “Active
Directory Users and Identity Management Groups”. In such cases, the
sudo, host-based access controls, and other policies are applied to the
external POSIX group and, ultimately, to the AD user when accessing IdM
domain resources. The user SID in the PAC in the ticket is resolved to
the AD identity. This means that Active Directory users can be added as
group members using their fully-qualified user name or their SID.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland