Hello, I'm setting up a test instance of FreeIPA with a one-way trust to the organization's AD. So far, that all appears to be working. I can run LDAP queries to look up users, I can log into the test instance via Kerberos, it's all golden. What I would like to next is to add certain external AD users to the "admins" FreeIPA group so that these users can log into the FreeIPA web UI and perform administrative actions the same as the built-in "admin" user can. So far I spent about a day reading docs, googling, and trying things out but haven't yet made this work. Here is what I've done so far:
In Identity -> Groups, I added a new group called "admins_external", being careful to select "External" when creating it. I then added the external user (u...@example.net, say) to that group. Next, I added the "admins_external" group to the built-in "admins" group. Based on what little I know so far, I would expect that this would be enough, but when I log into the FreeIPA UI, it only shows the user's profile. There is no way to do anything else. I thought that maybe I needed an HBAC rule or two, so I created one to allow users in group "admin" access to any host via any service. I then disabled the "allow_all" HBAC rule. Still no dice. For fun, I added a "native" FreeIPA user and put that user in the "admins_external" group. When logging into the UI with that user, it seems to have all of the admin functionality, unlike the external users. If I'm missing something obvious, let me know. Fine by me if you point me towards some documentation, but I would ask that you be very specific about what I should read since as I already said, I have already done quite a lot of research on this. :) Thanks, Charles _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org