[Freeipa-users] how to allow a remote realm user to be an IPA admin?
Simo Sorce
simo at redhat.com
Mon Dec 10 15:50:32 UTC 2012
On Mon, 2012-12-10 at 14:25 +0200, Alexander Bokovoy wrote:
> On Sun, 09 Dec 2012, Brian Cook wrote:
> >How do you let a remote user be an admin for IPA?
> You cannot do it, at least right now.
>
> >
> >I followed the fedora group example
> >
> >external group:ad_admins_external
> >Posix Group: ad_admins
> >
> >Then I made ad_admins a group member of ipa group 'admins' -
> >theoretically now MSAD\Administrator is an IPA admin? I get the
> >following. How does this work?
>
> Being able to perform IPA management operations means being able to bind
> to IPA LDAP with the identity in question. For Kerberos authentication
> LDAP server maps user principal to a DN of an object in LDAP.
>
> In case of trust users there are no LDAP objects that they represent
> since the whole idea of a trust was to avoid replicating objects between
> the realms, so while IPA KDC accepts AD realm's tickets for the users,
> IPA LDAP server doesn't know what they map to in terms of LDAP objects.
>
> Thus, trust users cannot be used to bind for LDAP access.
Note that this[1] DS tickeet needs to be implemented for us to be able,
at some point to create a fallback mapping so we can map foreign user to
a 'role' object in DS. This way we will be able to properly authorize
remote users to operate on freeipa, even as admins at some point as long
as we can map them to an object role based on a SAL mapping.
This will take a while though. For the moment you need a real FreeIPA
user to manage freeipa, you can think of foreign uses as 'guests' atm.
Simo.
[1] https://fedorahosted.org/389/ticket/534
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list