5:14 a.m.
Hello,
My FreeIPA (4.5.4) has a cross-forest trust with the AD of the company.
The requirement I have is to automatically add some AD Groups in the IdM Sudoers groups.
The documentation implies that this is possible only for the synchronized AD Users. Is
that true?
If not, can I just create an automember rule that will include specific AD groups in the
Sudoers membership?
If yes, what is the alternative I have?
5:33 a.m.
On ke, 26 syys 2018, Peter Tselios via FreeIPA-users wrote:
Hello,
My FreeIPA (4.5.4) has a cross-forest trust with the AD of the company.
The requirement I have is to automatically add some AD Groups in the IdM Sudoers groups.
The documentation implies that this is possible only for the synchronized AD Users. Is
that true?
What do you mean by 'synchronized AD users'?
If you have specific reference, please provide it.
If not, can I just create an automember rule that will include
specific AD groups in the Sudoers membership?
If yes, what is the alternative I have?
To answer your question, I need to
understand what you mean here.
Can you show examples of what you are implying under your questions?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
6:09 a.m.
Of course!
Reference:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
(Example 13.6)
Example:
AD Group: External Consultants ( I don't have the LDAP entry at the moment).
IdM Sudoers: Sudoers
9:12 a.m.
On ke, 26 syys 2018, Peter Tselios via FreeIPA-users wrote:
Of course!
Reference:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
(Example 13.6)
Thanks, this example talks about winsync-synchronised users. This is not
using trust to AD functionality but rather represents AD users as native
IPA users with some additional attributes/object classes.
Example:
AD Group: External Consultants ( I don't have the LDAP entry at the moment).
IdM Sudoers: Sudoers
I'll point you to my previous answers on this topic:
https://www.redhat.com/archives/freeipa-users/2014-March/msg00295.html
https://www.redhat.com/archives/freeipa-users/2016-October/msg00083.html
If you want to add sudo rules for AD users then you shouldn't use
automember rules. You just add sudo rules for a POSIX group that
includes external group for these AD users. This would be a static rule.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
11:53 a.m.
On ke, 26 syys 2018, Peter Tselios via FreeIPA-users wrote:
This needs to be in the IdM documentation...
This *is already*
in the documentation, just in a separate book to what
you are look at. We have two books:
- "Linux domain identity, authentication, and policy guide"
- "Windows integration guide"
The latter has explanation about external groups and how they are used
for IdM policies:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
5.1.3.3. Active Directory Users and IdM Policies and Configuration
Several IdM policy definitions, such as SELinux, host-based access
control, sudo, and netgroups, rely on user groups to identify how the
policies are applied.
Active Directory users are external to the IdM domain, but they can
still be added as group members to IdM groups, as long as those groups
are configured as external groups described in Section 5.1.3.2, “Active
Directory Users and Identity Management Groups”. In such cases, the
sudo, host-based access controls, and other policies are applied to the
external POSIX group and, ultimately, to the AD user when accessing IdM
domain resources. The user SID in the PAC in the ticket is resolved to
the AD identity. This means that Active Directory users can be added as
group members using their fully-qualified user name or their SID.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
2033
days inactive
2033
days old
freeipa-users@lists.fedorahosted.org
5 comments
2 participants
participants (2)
-
Alexander Bokovoy -
Peter Tselios