On ti, 15 touko 2018, Bart via FreeIPA-users wrote:
I have an instance of FreeIPA with AD trust established. I know that
it
is possible to enable access for the web ui for AD users by creating id
override as it is explained here:
https://www.freeipa.org/page/V4/AD_Users_Login. My question is: would
it be possible to enable the same by creating an id override for an AD
group instead of doing it on per user basis? This approach would be
much simpler than iterating members of a group. However, when I tried
to test this approach it didn't work for me - ad user could not log in.
No, it
is not possible to do that.
In order to login to Web UI, a real object in LDAP should exist that
will be used by the IPA framework to get access to LDAP backend. The
code in LDAP server can only map incoming authentication (kerberos or
simple auth) to existing LDAP object by its DN.
ID override is the LDAP object your AD user would be mapped to.
Self-service access controls in LDAP store apply to the object you are
representing after authentication, thus only properties of this object
would be allowed for editing. If all your AD users would be mapped to a
group DN, they would effectively become a 'group', not an ID override,
so they wouldn't be able to handle own self-service.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland