On ke, 22 huhti 2020, Natxo Asenjo via FreeIPA-users wrote:
hi,
On Wed, Apr 22, 2020 at 7:26 PM Natxo Asenjo <natxo.asenjo(a)gmail.com> wrote:
>
> In order to use AD nested groups, do we need to add an external IDM group
> for every nested group?
>
> specifically, our AD people have global groups (account groups, they say)
with the user accounts, and the domain local groups (resource groups, they
call them) have these global groups as members.
So, in order to grant the people on the domain local groups which have no
direct user members, should we create both external groups in Idm? Both the
global group and the domain local group?
Domain local groups are not visible through the forest trust, so they cannot
be used in FreeIPA for access control means.
Global groups can be used if they are security groups and not just
distribution groups.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland