Hello, My FreeIPA (4.5.4) has a cross-forest trust with the AD of the company. The requirement I have is to automatically add some AD Groups in the IdM Sudoers groups.
The documentation implies that this is possible only for the synchronized AD Users. Is that true? If not, can I just create an automember rule that will include specific AD groups in the Sudoers membership? If yes, what is the alternative I have?
On ke, 26 syys 2018, Peter Tselios via FreeIPA-users wrote:
Hello, My FreeIPA (4.5.4) has a cross-forest trust with the AD of the company. The requirement I have is to automatically add some AD Groups in the IdM Sudoers groups.
The documentation implies that this is possible only for the synchronized AD Users. Is that true?
What do you mean by 'synchronized AD users'?
If you have specific reference, please provide it.
If not, can I just create an automember rule that will include specific AD groups in the Sudoers membership? If yes, what is the alternative I have?
To answer your question, I need to understand what you mean here.
Can you show examples of what you are implying under your questions?
Of course!
Reference: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... (Example 13.6)
Example: AD Group: External Consultants ( I don't have the LDAP entry at the moment). IdM Sudoers: Sudoers
On ke, 26 syys 2018, Peter Tselios via FreeIPA-users wrote:
Of course!
Reference: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... (Example 13.6)
Thanks, this example talks about winsync-synchronised users. This is not using trust to AD functionality but rather represents AD users as native IPA users with some additional attributes/object classes.
Example: AD Group: External Consultants ( I don't have the LDAP entry at the moment). IdM Sudoers: Sudoers
I'll point you to my previous answers on this topic: https://www.redhat.com/archives/freeipa-users/2014-March/msg00295.html https://www.redhat.com/archives/freeipa-users/2016-October/msg00083.html
If you want to add sudo rules for AD users then you shouldn't use automember rules. You just add sudo rules for a POSIX group that includes external group for these AD users. This would be a static rule.
On ke, 26 syys 2018, Peter Tselios via FreeIPA-users wrote:
This needs to be in the IdM documentation...
This *is already* in the documentation, just in a separate book to what you are look at. We have two books: - "Linux domain identity, authentication, and policy guide" - "Windows integration guide"
The latter has explanation about external groups and how they are used for IdM policies:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
5.1.3.3. Active Directory Users and IdM Policies and Configuration
Several IdM policy definitions, such as SELinux, host-based access control, sudo, and netgroups, rely on user groups to identify how the policies are applied.
Active Directory users are external to the IdM domain, but they can still be added as group members to IdM groups, as long as those groups are configured as external groups described in Section 5.1.3.2, “Active Directory Users and Identity Management Groups”. In such cases, the sudo, host-based access controls, and other policies are applied to the external POSIX group and, ultimately, to the AD user when accessing IdM domain resources. The user SID in the PAC in the ticket is resolved to the AD identity. This means that Active Directory users can be added as group members using their fully-qualified user name or their SID.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Peter Tselios