I'm reviewing the documentation at
https://www.freeipa.org/page/V4/Allow_AD_users_to_manage_FreeIPA, as I am hoping to allow
members of certain AD groups to login to FreeIPA from the web GUI.
Does this documentation only apply to the FreeIPA CLI, or does it also affect access to
manage through the web GUI?
Let's say we have an AD group named "engineers", and I want those engineers
to have admin access over FreeIPA.
If the above documentation only affects the CLI, that feels a little bit redundant,
because we can of course easily create Sudo / Su rules to allow members of
"engineers" to have control over the FreeIPA nodes using HBAC rules and such.
(This is already done and working -- members of `engineers` already have CLI admin access
over FreeIPA -- I now want them to have GUI admin access).
I'm also a little bit confused why the documentation says to add a domain user to the
AD "administrators" group (as an ID Override).
That feels like a security risk, because I don't want the user to be considered an
Active Directory administrator -- I only want the person (well, any members of the
`engineers` group) to have admin access over FreeIPA.
It sounds like this would have to be done on a user-by-user basis (and is not something we
could apply to an entire AD group that already exists)?
I ran:
`id administrator(a)ad.domain.com` and verified that I do have stdout.
But then I ran:
`ipa group-show administrator(a)ad.domain.com` and stdout included:
ipa: ERROR: administrator(a)ad.domain.com: group not found
Is there any way to accomplish what I want?
-----
David White
Engineer II, Fiber Systems Engineering