That's very helpful.
Thank you very much.
Is there any chance RHEL & CentOS would add this `freeipa-adusers-admins` plugin for
RHEL 7.x? If what I read on
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
is correct, the prerequisite is to run RHEL 8 and use the `idm:DL1` stream and install the
`adtrust` module.
If so, this isn't that big of a deal. We can still manage our ipa servers without Web
UI admin access.
Or we can of course use a shared service account or something. It would have been
helpful, though, to give those permissions to an AD user in our environment.
Thanks again,
-----
David White
Engineer II, Fiber Systems Engineering
On 11/27/19, 9:05 AM, "Alexander Bokovoy" <abokovoy(a)redhat.com> wrote:
On ke, 27 marras 2019, White, David via FreeIPA-users wrote:
I'm reviewing the documentation at
https://www.freeipa.org/page/V4/Allow_AD_users_to_manage_FreeIPA, as I
am hoping to allow members of certain AD groups to login to FreeIPA
from the web GUI. Does this documentation only apply to the FreeIPA
CLI, or does it also affect access to manage through the web GUI?
You should be looking at the official documentation, not upstream design
documents. Official documentation for FreeIPA is available at
access.redhat.com:
RHEL7:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
RHEL7:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
RHEL8:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
RHEL8:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
RHEL8:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
The last link has a chapter related to your enquiry,
"CHAPTER 22. ENABLING AD USERS TO ADMINISTER IDM":
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
I'm also a little bit confused why the documentation says to add
a
domain user to the AD "administrators" group (as an ID Override). That
feels like a security risk, because I don't want the user to be
considered an Active Directory administrator -- I only want the person
(well, any members of the `engineers` group) to have admin access over
FreeIPA.
If you have ipa-idoverride-memberof package installed (as part of
idm:DL1/adtrust profile, for example), you can add ID overrides to any
group that you have associated permissions to manage resources.
Documentation shows adding to 'admins' group as an example because this
group is given all permissions in IPA already.
It sounds like this would have to be done on a user-by-user basis (and
is not something we could apply to an entire AD group that already
exists)?
It is not something you could apply to an entire group, correct. The
group-based addition is not implemented yet.
I ran:
`id administrator(a)ad.domain.com` and verified that I do have stdout.
But then I ran:
`ipa group-show administrator(a)ad.domain.com` and stdout included:
ipa: ERROR: administrator(a)ad.domain.com: group not found
Is there any way to accomplish what I want?
No, that is not possible. You might want to read more details in
https://raw.githubusercontent.com/abbra/freeipa-adusers-admins/master/plu...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland