freeipa

Clone
Source Code
GIT

8cce2bb Support adding user ID overrides as group and role members

6 files Authored by abbra 3 years ago, Committed by rcritten 3 years ago,
raw patch tree parent
6 files changed. 49 lines added. 18 lines removed.
ACI.txt
file modified
+1 -1
API.txt
file modified
+23 -11
VERSION.m4
file modified
+2 -2
ipaserver/plugins/baseldap.py
file modified
+4 -0
ipaserver/plugins/group.py
file modified
+9 -3
ipaserver/plugins/role.py
file modified
+10 -1 
    Support adding user ID overrides as group and role members
    
    Second part of adding support to manage IPA as a user from a trusted
    Active Directory forest.
    
    Treat user ID overrides as members of groups and roles.
    
    For example, adding an Active Directory user ID override as a member of
    'admins' group would make it equivalent to built-in FreeIPA 'admin'
    user.
    
    We already support self-service operations by Active Directory users if
    their user ID override does exist. When Active Directory user
    authenticates with GSSAPI against the FreeIPA LDAP server, its Kerberos
    principal is automatically mapped to the user's ID override in the
    Default Trust View. LDAP server's access control plugin uses membership
    information of the corresponding LDAP entry to decide how access can be
    allowed.
    
    With the change, users from trusted Active Directory forests can
    manage FreeIPA resources if the groups are part of appropriate roles or
    their ID overrides are members of the roles themselves.
    
    Fixes: https://pagure.io/freeipa/issue/7255
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
file modified
+1 -1
file modified
+23 -11
file modified
+2 -2
file modified
+4 -0
file modified
+9 -3
file modified
+10 -1
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.