I'm reviewing the documentation at https://www.freeipa.org/page/V4/Allow_AD_users_to_manage_FreeIPA, as I am hoping to allow members of certain AD groups to login to FreeIPA from the web GUI. Does this documentation only apply to the FreeIPA CLI, or does it also affect access to manage through the web GUI?
Let's say we have an AD group named "engineers", and I want those engineers to have admin access over FreeIPA. If the above documentation only affects the CLI, that feels a little bit redundant, because we can of course easily create Sudo / Su rules to allow members of "engineers" to have control over the FreeIPA nodes using HBAC rules and such. (This is already done and working -- members of `engineers` already have CLI admin access over FreeIPA -- I now want them to have GUI admin access).
I'm also a little bit confused why the documentation says to add a domain user to the AD "administrators" group (as an ID Override). That feels like a security risk, because I don't want the user to be considered an Active Directory administrator -- I only want the person (well, any members of the `engineers` group) to have admin access over FreeIPA.
It sounds like this would have to be done on a user-by-user basis (and is not something we could apply to an entire AD group that already exists)?
I ran: `id administrator@ad.domain.com` and verified that I do have stdout.
But then I ran: `ipa group-show administrator@ad.domain.com` and stdout included: ipa: ERROR: administrator@ad.domain.com: group not found
Is there any way to accomplish what I want?
----- David White Engineer II, Fiber Systems Engineering
On ke, 27 marras 2019, White, David via FreeIPA-users wrote:
I'm reviewing the documentation at https://www.freeipa.org/page/V4/Allow_AD_users_to_manage_FreeIPA, as I am hoping to allow members of certain AD groups to login to FreeIPA from the web GUI. Does this documentation only apply to the FreeIPA CLI, or does it also affect access to manage through the web GUI?
You should be looking at the official documentation, not upstream design documents. Official documentation for FreeIPA is available at access.redhat.com:
RHEL7: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... RHEL7: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... RHEL8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... RHEL8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... RHEL8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
The last link has a chapter related to your enquiry, "CHAPTER 22. ENABLING AD USERS TO ADMINISTER IDM": https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
I'm also a little bit confused why the documentation says to add a domain user to the AD "administrators" group (as an ID Override). That feels like a security risk, because I don't want the user to be considered an Active Directory administrator -- I only want the person (well, any members of the `engineers` group) to have admin access over FreeIPA.
If you have ipa-idoverride-memberof package installed (as part of idm:DL1/adtrust profile, for example), you can add ID overrides to any group that you have associated permissions to manage resources.
Documentation shows adding to 'admins' group as an example because this group is given all permissions in IPA already.
It sounds like this would have to be done on a user-by-user basis (and is not something we could apply to an entire AD group that already exists)?
It is not something you could apply to an entire group, correct. The group-based addition is not implemented yet.
I ran: `id administrator@ad.domain.com` and verified that I do have stdout.
But then I ran: `ipa group-show administrator@ad.domain.com` and stdout included: ipa: ERROR: administrator@ad.domain.com: group not found
Is there any way to accomplish what I want?
No, that is not possible. You might want to read more details in https://raw.githubusercontent.com/abbra/freeipa-adusers-admins/master/plugin...
That's very helpful. Thank you very much.
Is there any chance RHEL & CentOS would add this `freeipa-adusers-admins` plugin for RHEL 7.x? If what I read on https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... is correct, the prerequisite is to run RHEL 8 and use the `idm:DL1` stream and install the `adtrust` module.
If so, this isn't that big of a deal. We can still manage our ipa servers without Web UI admin access. Or we can of course use a shared service account or something. It would have been helpful, though, to give those permissions to an AD user in our environment.
Thanks again, ----- David White Engineer II, Fiber Systems Engineering
On 11/27/19, 9:05 AM, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ke, 27 marras 2019, White, David via FreeIPA-users wrote: >I'm reviewing the documentation at >https://www.freeipa.org/page/V4/Allow_AD_users_to_manage_FreeIPA, as I >am hoping to allow members of certain AD groups to login to FreeIPA >from the web GUI. Does this documentation only apply to the FreeIPA >CLI, or does it also affect access to manage through the web GUI?
You should be looking at the official documentation, not upstream design documents. Official documentation for FreeIPA is available at access.redhat.com:
RHEL7: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... RHEL7: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... RHEL8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... RHEL8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... RHEL8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
The last link has a chapter related to your enquiry, "CHAPTER 22. ENABLING AD USERS TO ADMINISTER IDM": https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
>I'm also a little bit confused why the documentation says to add a >domain user to the AD "administrators" group (as an ID Override). That >feels like a security risk, because I don't want the user to be >considered an Active Directory administrator -- I only want the person >(well, any members of the `engineers` group) to have admin access over >FreeIPA.
If you have ipa-idoverride-memberof package installed (as part of idm:DL1/adtrust profile, for example), you can add ID overrides to any group that you have associated permissions to manage resources.
Documentation shows adding to 'admins' group as an example because this group is given all permissions in IPA already.
> >It sounds like this would have to be done on a user-by-user basis (and >is not something we could apply to an entire AD group that already >exists)? It is not something you could apply to an entire group, correct. The group-based addition is not implemented yet.
>I ran: >`id administrator@ad.domain.com` and verified that I do have stdout. > >But then I ran: >`ipa group-show administrator@ad.domain.com` and stdout included: >ipa: ERROR: administrator@ad.domain.com: group not found > >Is there any way to accomplish what I want?
No, that is not possible. You might want to read more details in https://raw.githubusercontent.com/abbra/freeipa-adusers-admins/master/plugin...
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ke, 27 marras 2019, White, David via FreeIPA-users wrote:
That's very helpful. Thank you very much.
Is there any chance RHEL & CentOS would add this `freeipa-adusers-admins` plugin for RHEL 7.x? If what I read on https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... is correct, the prerequisite is to run RHEL 8 and use the `idm:DL1` stream and install the `adtrust` module.
Yes, RHEL 8 is a requirement. Too many things were changed and RHEL 7 is not in a support phase that doesn't allow to add new features.
If so, this isn't that big of a deal. We can still manage our ipa servers without Web UI admin access. Or we can of course use a shared service account or something. It would have been helpful, though, to give those permissions to an AD user in our environment.
Thanks again,
David White Engineer II, Fiber Systems Engineering
On 11/27/19, 9:05 AM, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ke, 27 marras 2019, White, David via FreeIPA-users wrote:
I'm reviewing the documentation at https://www.freeipa.org/page/V4/Allow_AD_users_to_manage_FreeIPA, as I am hoping to allow members of certain AD groups to login to FreeIPA from the web GUI. Does this documentation only apply to the FreeIPA CLI, or does it also affect access to manage through the web GUI?
You should be looking at the official documentation, not upstream design documents. Official documentation for FreeIPA is available at access.redhat.com:
RHEL7: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... RHEL7: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... RHEL8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... RHEL8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... RHEL8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
The last link has a chapter related to your enquiry, "CHAPTER 22. ENABLING AD USERS TO ADMINISTER IDM": https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
I'm also a little bit confused why the documentation says to add a domain user to the AD "administrators" group (as an ID Override). That feels like a security risk, because I don't want the user to be considered an Active Directory administrator -- I only want the person (well, any members of the `engineers` group) to have admin access over FreeIPA.
If you have ipa-idoverride-memberof package installed (as part of idm:DL1/adtrust profile, for example), you can add ID overrides to any group that you have associated permissions to manage resources.
Documentation shows adding to 'admins' group as an example because this group is given all permissions in IPA already.
It sounds like this would have to be done on a user-by-user basis (and is not something we could apply to an entire AD group that already exists)?
It is not something you could apply to an entire group, correct. The group-based addition is not implemented yet.
I ran: `id administrator@ad.domain.com` and verified that I do have stdout.
But then I ran: `ipa group-show administrator@ad.domain.com` and stdout included: ipa: ERROR: administrator@ad.domain.com: group not found
Is there any way to accomplish what I want?
No, that is not possible. You might want to read more details in https://raw.githubusercontent.com/abbra/freeipa-adusers-admins/master/plugin...
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ke, 27 marras 2019, Alexander Bokovoy via FreeIPA-users wrote:
On ke, 27 marras 2019, White, David via FreeIPA-users wrote:
That's very helpful. Thank you very much.
Is there any chance RHEL & CentOS would add this `freeipa-adusers-admins` plugin for RHEL 7.x? If what I read on https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... is correct, the prerequisite is to run RHEL 8 and use the `idm:DL1` stream and install the `adtrust` module.
Yes, RHEL 8 is a requirement. Too many things were changed and RHEL 7 is not in a support phase that doesn't allow to add new features.
too convoluted, sorry. RHEL 7 is in state when new features cannot be added anymore.
On to, 12 joulu 2019, Ronald Wimmer via FreeIPA-users wrote:
Will this feature also allow using ipa vault for AD users?
Not yet, I think. There are still rough edges and work needs to be done for various objects to add support of that.
On pe, 27 maalis 2020, Ronald Wimmer via FreeIPA-users wrote:
Any progress here?
Please do not drop the context when answering / asking. if you are using mailing list's web UI, it is possible to quote the previous email, for example.
As for the vault being accessible to AD users, please file a ticket and describe a use case in more details.
If you have a subscription with Red Hat, it also helps to raise it through the support as that would allow Red Hat product management team to see a demand of that work.
freeipa-users@lists.fedorahosted.org