>>> - User/group management in general becomes largely a command-line operation >> > (such as mapping groups so they can be used in HBAC and sudo rules)
>> While this is a nice-to-have, it isn't a deal breaker. > This definitely exists in WebUI? Unless you mean something I don't understand. > Define groups: > Identity->User Groups (second tab) In my setup (FreeIPA 4.4.0 on CentOS 7) I don't see external users (users that are known via the trust with AD) under the "Users" tab. There is limited visibility / management of external groups and membership, but nothing that displays a list of available users/groups in AD when attempting to create/modify a user/group. > Define user mappings: > IPA Server -> ID Views -> Default Trust View By "mapping" I meant adding an AD group to a FreeIPA group (which can be used for HBAC/sudo) so that AD membership is known by IPA when applying the HBAC/sudo rules. For example: ipa group-add \ --desc="lab.gen.zone 'Domain Admins' external map" \ lgz_map_domain_admins \ --external ipa group-add \ --desc="lab.gen.zone 'Domain Admins' POSIX" \ lgz_domain_admins ipa group-add-member \ lgz_map_domain_admins \ --external 'LAB\Domain Admins' ipa group-add-member \ lgz_domain_admins \ --groups lgz_map_domain_admins
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project