On 4/13/15, 11:37 AM, "Alexander Bokovoy" <[email protected]> wrote:
>Through external users' groups mechanism we use for any other AD users >mapping in HBAC and SUDO. These are not local (not defined in IPA but >defined on the host) groups and users but rather AD groups and users. > >ipa group-add --external gould_group_ext >ipa group-add-member gould_group_ext [email protected] >ipa group-add gould_group >ipa group-add-member gould_group --groups=gould_group_ext > >And now make sudo rule that allows users of gould_group to run needed >commands. SSSD will pull in all membership information for gould_group, >including AD users. Just curious, but if we don¹t plan on using any IPA native users, could you skip the last two commands and add gould_group_ext to the sudo rule? I¹ve seen this same basic example used for HBAC, but it never was clear to me why the IPA group needed to be added if you¹re only concerned with AD users? Does it need to be added or do the examples include the IPA group because they assume that you¹ll be wanting to use a mix of AD and IPA users for HBAC and sudo? Joshua -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
