Hi,
At first I've just created an external group, added the user, and added that group to a role but that didn't work. Then I stumbled across this while googling:
ipa idoverrideuser-add 'Default Trust View' username@DOMAIN
And it works, the user can use IPA commands with AD kerberos ticket and roles apply properly. But I cannot for the life of me figure out what that did and are there any other consequences.
Documentation talks about using ID views to override user properties but this doesn't specify any properties to override. Also, it says the view is applied to all AD users, but in that case why do I need to run that command?
Cheers, Yuriy
On Пят, 19 сту 2024, Yuriy Halytskyy via FreeIPA-users wrote:
Hi,
At first I've just created an external group, added the user, and added that group to a role but that didn't work. Then I stumbled across this while googling:
ipa idoverrideuser-add 'Default Trust View' username@DOMAIN
And it works, the user can use IPA commands with AD kerberos ticket and roles apply properly. But I cannot for the life of me figure out what that did and are there any other consequences.
Documentation talks about using ID views to override user properties but this doesn't specify any properties to override. Also, it says the view is applied to all AD users, but in that case why do I need to run that command?
You need to look at design pages that most new FreeIPA features have.
https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-truste...
Ahh, that explains it, thank you! Looks like I accidentally added "member User ID override" to a group as opposed to adding an external member.
Cheers, Yuriy
On Fri, Jan 19, 2024 at 8:12 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On Пят, 19 сту 2024, Yuriy Halytskyy via FreeIPA-users wrote:
Hi,
At first I've just created an external group, added the user, and added that group to a role but that didn't work. Then I stumbled across this while googling:
ipa idoverrideuser-add 'Default Trust View' username@DOMAIN
And it works, the user can use IPA commands with AD kerberos ticket and roles apply properly. But I cannot for the life of me figure out what that did and are there any other consequences.
Documentation talks about using ID views to override user properties but this doesn't specify any properties to override. Also, it says the view is applied to all AD users, but in that case why do I need to run that command?
You need to look at design pages that most new FreeIPA features have.
https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-truste...
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Yuriy Halytskyy