Overwriting certain attributes may be more directly addressed by: https://fedorahosted.org/freeipa/ticket/3979
You are to some extent describing a feature that we call "views" that is currently in works. But there are two parts: a) Ability to overwrite POSIX attributes for AD users - this is views https://fedorahosted.org/freeipa/ticket/3318 https://fedorahosted.org/freeipa/ticket/4509 b) Ability to apply policies to AD users. It is already possible. This is done via group membership. So you create a group in IPA, make AD group an external member of that group and then use that IPA group to apply HBAC, SUDO and SELinux rules. As for RBAC what do you mean? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project