[Freeipa-devel] HBAC for AD users Active Directory trust setup
rajat gupta
rajat.linux at gmail.com
Wed Oct 12 09:38:22 UTC 2016
Hi,
thank you for answering.
I this case i need to create multiple group in AD side. like user1 have
only "server1.example.com" and "server2.example.com" access and some other
user have some other server access. Then only the my HBAC
rule will be implemented to particular group and every time i need to add
user in AD side on particular group if I want to give some other server
access to user. And i don't want do like this.
On Wed, Oct 12, 2016 at 11:05 AM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On ke, 12 loka 2016, rajat gupta wrote:
>
>> Hi,
>>
>> Normally HBAC for AD users should be done through an external group.
>>
> You should use freeipa-users@ mailing list for these questions.
>
> And start with documentation: https://access.redhat.com/docu
> mentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/
> Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html-single/Windows_Integration_Guide/index.html
>
>
>
>> So for example if we have 500+ users on AD and only 100 user are
>> administrator and they have Linux server access.
>>
>> I want to set the HBAC and sudo rules for users. So user have correct
>> access server access and sudo rights and I am using the *Active Directory
>> trust setup*
>>
>> In this case i need to add all of the 100 users on in Freeipa as external
>> group.
>>
>> for example :- user1 user name in AD
>>
>> *user1-external* external group in IPA for trusted domain users
>> *user1 :- *POSIX group for external
>>
> No, you don't need to do that. All you need to do is to create a group
> on AD side where your users to access Linux systems would be added and
> then add that group to the external group on IPA side.
>
> Do we have document for implementing the HBAC and Sudo Rules for external
>> group.
>>
> See above documentation and discussions on freeipa-users@ mailing list.
>
> --
> / Alexander Bokovoy
>
--
*Rajat Gupta *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20161012/f68f7930/attachment.htm>
More information about the Freeipa-devel
mailing list