Hi All,
I’m to setup FreeIPA in my organization to be the central directory for users/group/SSH keys and maybe sudo rules. All the users and groups are already present in Windows Active Directory.
So far I’ve tried setting up AD Trust but this does not get the users in AD to login to web UI of FreeIPA. I have looked at Passync as well but as per the docs only users will be synced that too only on a password change and groups won’t be.
To give you more details below is my use case.
1. The users and groups are in AD. 2. A user in AD should be able to login to FreeIPA web UI using AD password and manage their SSH keys. 3. Groups on AD should reflect in FreeIPA.
Appreciate if anyone can point me in the right direction.
Regards. --Prashant
On ma, 27 touko 2019, Prashant Bapat via FreeIPA-users wrote:
Hi All,
I’m to setup FreeIPA in my organization to be the central directory for users/group/SSH keys and maybe sudo rules. All the users and groups are already present in Windows Active Directory.
So far I’ve tried setting up AD Trust but this does not get the users in AD to login to web UI of FreeIPA. I have looked at Passync as well but as per the docs only users will be synced that too only on a password change and groups won’t be.
To give you more details below is my use case.
- The users and groups are in AD.
- A user in AD should be able to login to FreeIPA web UI using AD password and manage their SSH keys.
- Groups on AD should reflect in FreeIPA.
Appreciate if anyone can point me in the right direction.
Have you read and followed the documentation?
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Actually no! Not that specific part. Let me give it a try and get back to you.
Thanks much. Regards. --Prashant
On 27/5/19, 5:18 pm, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ma, 27 touko 2019, Prashant Bapat via FreeIPA-users wrote: >Hi All, > >I’m to setup FreeIPA in my organization to be the central directory for >users/group/SSH keys and maybe sudo rules. All the users and groups are >already present in Windows Active Directory. > >So far I’ve tried setting up AD Trust but this does not get the users >in AD to login to web UI of FreeIPA. I have looked at Passync as well >but as per the docs only users will be synced that too only on a >password change and groups won’t be. > >To give you more details below is my use case. > > > 1. The users and groups are in AD. > 2. A user in AD should be able to login to FreeIPA web UI using AD password and manage their SSH keys. > 3. Groups on AD should reflect in FreeIPA. > >Appreciate if anyone can point me in the right direction. Have you read and followed the documentation?
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Hi Alexander,
I tried the "Id View" and "User ID Overrides". Questions below.
1. Does the user Id overrides need to be setup for each user/group in AD one per ? 2. After uploading the SSH pub key in the web UI, how does the sss_ssh_authorizedkeys command work ? I'm not able to get the SSH keys on client.
Thanks. --Prashant
On 27/5/19, 6:56 pm, "Prashant Bapat" prashant.bapat@thetradedesk.com wrote:
Actually no! Not that specific part. Let me give it a try and get back to you.
Thanks much. Regards. --Prashant
On 27/5/19, 5:18 pm, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ma, 27 touko 2019, Prashant Bapat via FreeIPA-users wrote: >Hi All, > >I’m to setup FreeIPA in my organization to be the central directory for >users/group/SSH keys and maybe sudo rules. All the users and groups are >already present in Windows Active Directory. > >So far I’ve tried setting up AD Trust but this does not get the users >in AD to login to web UI of FreeIPA. I have looked at Passync as well >but as per the docs only users will be synced that too only on a >password change and groups won’t be. > >To give you more details below is my use case. > > > 1. The users and groups are in AD. > 2. A user in AD should be able to login to FreeIPA web UI using AD password and manage their SSH keys. > 3. Groups on AD should reflect in FreeIPA. > >Appreciate if anyone can point me in the right direction. Have you read and followed the documentation?
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ma, 27 touko 2019, Prashant Bapat via FreeIPA-users wrote:
Hi Alexander,
I tried the "Id View" and "User ID Overrides". Questions below.
- Does the user Id overrides need to be setup for each user/group in
AD one per ?
Yes. You need to have an object in LDAP where to store information for each user about their SSH public keys, certificates, etc.
- After uploading the SSH pub key in the web UI, how does the
sss_ssh_authorizedkeys command work ? I'm not able to get the SSH keys on client.
SSSD will pick them up for users at authentication or during restart. Users need to login with non-ssh keys method once (or SSSD restarted).
Thanks. --Prashant
On 27/5/19, 6:56 pm, "Prashant Bapat" prashant.bapat@thetradedesk.com wrote:
Actually no! Not that specific part. Let me give it a try and get back to you.
Thanks much. Regards. --Prashant
On 27/5/19, 5:18 pm, "Alexander Bokovoy" abokovoy@redhat.com wrote:
On ma, 27 touko 2019, Prashant Bapat via FreeIPA-users wrote: >Hi All, > >I’m to setup FreeIPA in my organization to be the central directory for >users/group/SSH keys and maybe sudo rules. All the users and groups are >already present in Windows Active Directory. > >So far I’ve tried setting up AD Trust but this does not get the users >in AD to login to web UI of FreeIPA. I have looked at Passync as well >but as per the docs only users will be synced that too only on a >password change and groups won’t be. > >To give you more details below is my use case. > > > 1. The users and groups are in AD. > 2. A user in AD should be able to login to FreeIPA web UI using AD password and manage their SSH keys. > 3. Groups on AD should reflect in FreeIPA. > >Appreciate if anyone can point me in the right direction. Have you read and followed the documentation? https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/using-the-ui#ad-users-idm-web-ui -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org