Right, that's what I've got at this point. I just wanted to make sure I wasn't missing something. Unfortunately, that architecture won't work for me (mostly for political reasons instead of technical ones). I guess I'll be digging into pass through auth to see if I can get that working.
thx. =================================== *Daniel Shown,* Linux Systems Administrator Advanced Technology Group Information Technology Services <http://www.slu.edu/its> at Saint Louis University <http://www.slu.edu/>. 314-977-2583 =================================== "The aim of education is the knowledge, not of facts, but of values." ā William S. Burroughs "Iām supposed to be a scientific person but I use intuition more than logic in making basic decisions." ā Seymour R. Cray On Mon, Aug 11, 2014 at 3:08 PM, Alexander Bokovoy <[email protected]> wrote: > On Mon, 11 Aug 2014, Daniel Shown wrote: > >> I'm fairly new to FreeIPA, so can someone give me a sanity check? Should I >> be able to map AD users in an AD trust to to corresponding FreeIPA users? >> i.e. Users can auth with their AD credentials and get a FreeIPA uidnumber, >> gidnumber, home, etc.? >> > Users from a trusted forest are treated as separate users. They have > their own identities and get IDs from either Active Directory (if POSIX > compatibility is enabled at AD) or from special ID range allocated for > them in IPA. > > You can include these users (and groups, it doesn't matter what is what) > into special type of groups in IPA, called "external" groups. These > groups, in turn, can be members of existing POSIX groups from IPA. If > done so, your AD users will become members of appropriate POSIX groups > from IPA by means of nested membership. > > These POSIX groups then can be used to apply SUDO or HBAC rules against > AD users. > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
