Discussion:
[Freeipa-users] Easier management of trusted AD users from web UI
Patrick Hemmer
2017-05-15 01:14:51 UTC
Permalink
I'm exploring using AD trusts, and am trying to find a good way to get
better management of trusted objects within FreeIPA.

One example, I add an AD user to an external group, and then add that
group to a POSIX group. When I want to view all the members of the POSIX
group, I can only see the native FreeIPA users. I have to manually go
into each nested group, and view all the external members to determine
who is in the top group. But from the command line a `getent group FOO`
shows nested members fine.

Another example, I see an external user in a group, and I want more
information about this user. Their name, department, etc. I can't get
it. I have to go into AD to find out who this user is. It would be nice
if I could see this info from within FreeIPA.

Or if I want to add an external user to a group, I have to know that
user's exact AD logon name. If I only have their real name, or other
information, I can't search for them and then add them to the group.


Is there any way to make these types of management tasks simpler? If
not, is such a thing on the road map?

Or as an alternative, is it possible to use the winsync plugin to pull
users from AD, but whenever such a user tries to authenticate, the
authentication is performed against AD? So that FreeIPA is used for
authorization, but not authentication?

Thanks

-Patrick
Alexander Bokovoy
2017-05-15 06:04:01 UTC
Permalink
Post by Patrick Hemmer
I'm exploring using AD trusts, and am trying to find a good way to get
better management of trusted objects within FreeIPA.
One example, I add an AD user to an external group, and then add that
group to a POSIX group. When I want to view all the members of the POSIX
group, I can only see the native FreeIPA users. I have to manually go
into each nested group, and view all the external members to determine
who is in the top group. But from the command line a `getent group FOO`
shows nested members fine.
This is due to how AD users represented in IPA. They aren't real LDAP
objects so membership plugin is not creating backlinks between groups
and their members. Resolution of external members happens at the place
which evaluates them, e.g. SSSD or an HBAC test tool.
Post by Patrick Hemmer
Another example, I see an external user in a group, and I want more
information about this user. Their name, department, etc. I can't get
it. I have to go into AD to find out who this user is. It would be nice
if I could see this info from within FreeIPA.
Yes, you need to go to the place where this user is defined, e.g. Active
Directory. We do not maintain information about AD users that belongs to
AD. You can only manage overrides for them and even that is optional if
you are using POSIX attributes in AD LDAP.
Post by Patrick Hemmer
Or if I want to add an external user to a group, I have to know that
user's exact AD logon name. If I only have their real name, or other
information, I can't search for them and then add them to the group.
Sorry, that's not possible. We are able to address users only by their
samAccountName, their UPN, or directly by their SID. The rest is not
possible to retrieve in general case when there are more than one domain
in AD forest arranged in a complex topology. Their other properties
aren't guaranteed to be defined or unique.
Post by Patrick Hemmer
Is there any way to make these types of management tasks simpler? If
not, is such a thing on the road map?
No for both, so far.
Post by Patrick Hemmer
Or as an alternative, is it possible to use the winsync plugin to pull
users from AD, but whenever such a user tries to authenticate, the
authentication is performed against AD? So that FreeIPA is used for
authorization, but not authentication?
No, this is not possible.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Continue reading on narkive:
Loading...