Hello,
I'm setting up a test instance of FreeIPA with a one-way trust to the organization's AD. So far, that all appears to be working. I can run LDAP queries to look up users, I can log into the test instance via Kerberos, it's all golden. What I would like to next is to add certain external AD users to the "admins" FreeIPA group so that these users can log into the FreeIPA web UI and perform administrative actions the same as the built-in "admin" user can. So far I spent about a day reading docs, googling, and trying things out but haven't yet made this work. Here is what I've done so far:
In Identity -> Groups, I added a new group called "admins_external", being careful to select "External" when creating it. I then added the external user (user@example.net, say) to that group. Next, I added the "admins_external" group to the built-in "admins" group. Based on what little I know so far, I would expect that this would be enough, but when I log into the FreeIPA UI, it only shows the user's profile. There is no way to do anything else.
I thought that maybe I needed an HBAC rule or two, so I created one to allow users in group "admin" access to any host via any service. I then disabled the "allow_all" HBAC rule. Still no dice.
For fun, I added a "native" FreeIPA user and put that user in the "admins_external" group. When logging into the UI with that user, it seems to have all of the admin functionality, unlike the external users.
If I'm missing something obvious, let me know. Fine by me if you point me towards some documentation, but I would ask that you be very specific about what I should read since as I already said, I have already done quite a lot of research on this. :)
Thanks, Charles
Charles Ulrich via FreeIPA-users wrote:
Hello,
I'm setting up a test instance of FreeIPA with a one-way trust to the organization's AD. So far, that all appears to be working. I can run LDAP queries to look up users, I can log into the test instance via Kerberos, it's all golden. What I would like to next is to add certain external AD users to the "admins" FreeIPA group so that these users can log into the FreeIPA web UI and perform administrative actions the same as the built-in "admin" user can. So far I spent about a day reading docs, googling, and trying things out but haven't yet made this work. Here is what I've done so far:
In Identity -> Groups, I added a new group called "admins_external", being careful to select "External" when creating it. I then added the external user (user@example.net, say) to that group. Next, I added the "admins_external" group to the built-in "admins" group. Based on what little I know so far, I would expect that this would be enough, but when I log into the FreeIPA UI, it only shows the user's profile. There is no way to do anything else.
I thought that maybe I needed an HBAC rule or two, so I created one to allow users in group "admin" access to any host via any service. I then disabled the "allow_all" HBAC rule. Still no dice.
For fun, I added a "native" FreeIPA user and put that user in the "admins_external" group. When logging into the UI with that user, it seems to have all of the admin functionality, unlike the external users.
If I'm missing something obvious, let me know. Fine by me if you point me towards some documentation, but I would ask that you be very specific about what I should read since as I already said, I have already done quite a lot of research on this. :)
You don't say what version you're using but I'm pretty sure you need 4.7.0+ for this.
rob
Sorry, yes I guess that would have been critical information. I installed FreeIPA on CentOS 7 from the default repositories which is version 4.6.4. So I guess that explains that.
Is 4.6 considered stable? Is there a way to run 4.7 on CentOS in a production environment?
Thanks, Charles
Charles Ulrich via FreeIPA-users wrote:
Sorry, yes I guess that would have been critical information. I installed FreeIPA on CentOS 7 from the default repositories which is version 4.6.4. So I guess that explains that.
Is 4.6 considered stable? Is there a way to run 4.7 on CentOS in a production environment?
No, 4.7 will never make it to RHEL 7.x. You can try the RHEL 8 beta for a preview of what's to come.
rob
On ke, 06 helmi 2019, Charles Ulrich via FreeIPA-users wrote:
Hello,
I'm setting up a test instance of FreeIPA with a one-way trust to the organization's AD. So far, that all appears to be working. I can run LDAP queries to look up users, I can log into the test instance via Kerberos, it's all golden. What I would like to next is to add certain external AD users to the "admins" FreeIPA group so that these users can log into the FreeIPA web UI and perform administrative actions the same as the built-in "admin" user can. So far I spent about a day reading docs, googling, and trying things out but haven't yet made this work. Here is what I've done so far:
This is not supported in anything but RHEL 8.0 beta when you install
yum module enable idm:DL1 yum module install idm:DL1/adtrust
and then set things up for the trust to use as documented at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-bet...
No other distribution has experimental support to manage IPA as Active Directory user. It is experimental because a number of things still don't work.
freeipa-users@lists.fedorahosted.org