Please keep freeipa-users@ in CC: On to, 01 joulu 2016, Denis Müller wrote:
Sorry, but i still do not understand how can i apply a single HAC-Rule to a single user. Editing a HBAC-Rule, there is no option to select an ad_user.
As I said, there wouldn't any. The concept is that you need to have a real LDAP object to include into the HBAC or SUDO rule and that object must be a POSIX user or group.
We cannot map AD user to POSIX user this way yet, only to POSIX groups, so in the HBAC rule you need to use POSIX group to add instead of AD user (or IPA user).
[root@ipa01<mailto:root@ipa01> ~]# ipa group-show ad_users_external Gruppenname: ad_users_external Beschreibung: AD users external map Mitglied der Gruppen: ad_users Indirect Member of HBAC rule: ssh_rule External member: us...@rto.de<mailto:ak...@bto.de>, us...@rto.de<mailto:demuel...@bto.de> [root@ipa01<mailto:root@ipa01> ~]# ipa hbacrule-add-user Regelname: ssh_rule [Mitglied Benutzer]: us...@rto.de<mailto:demuel...@bto.de> [Mitglied Gruppe]: ad_users_external Regelname: ssh_rule Aktiviert: TRUE Benutzergruppen: ad_users, ad_users_external Hosts: ipa-web.wop.bto.de Dienste: sshd Failed users/groups: Mitglied Benutzer: us...@rto.de<mailto:demuel...@bto.de>: no such entry Mitglied Gruppe: Am Donnerstag, den 01.12.2016, 16:12 +0200 schrieb Alexander Bokovoy: On to, 01 joulu 2016, Denis Müller wrote: Hello Alexander, thank you for reply. As i understand, working with ad users/groups works this way: ad_users => ad_users_external_group => ipa_users_group So i can manage ipa_users_group to provide Sudo Rules etc. But how can i provide rules to a single user? What would be the best way? The same way -- by specifying user as part of the external group. Check out this email, this topic is raised regularly: https://www.redhat.com/archives/freeipa-users/2016-October/msg00083.html
-- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project