Hi there After trying to add external usergroups from AD to allow (admin) users to log in to IPA webUI, by tdding the groups to toe local admin group and discovering that it didn't work, I found that as far as I can see, its currently not possibly, and fount this rather old ticket on the case:
https://fedorahosted.org/freeipa/ticket/3242 I can see that its currently pushed for IPA 4.5 and that the required patch seems to have been made, but also that the request have been pushed for some time now. Is there and active plan for pushing this into the 4.5 release as I too would like to have this implemented and see this as a BIG missing feature that everyone have to log in as admin, or create local IPA users, to be able to log in to webui.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project