Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1319396
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: In IPA-AD trust environment, add an option to filter AD groups at the level of a trust boundary so that they won't appear in IPA at all. Version-Release number of selected component (if applicable): ipa-server-trust-ad What could be done to achieve this ? After adding AD trust, it brings in lots and lots of group from the Domain Controller from which some groups may not be useful in IPA(linux) environment. If such AD groups are never going to be used, why not filter them out? How could it be possible ? Using blacklisting the SID at KDC level doesn't seem to be much useful. Using ID Views would be nice; to add a feature to completely hide a group or at Trust level; create a tab or config "thing" to hide groups from the trust. Actual results(What do we have currently ?): After adding AD trust, it brings in lots and lots of group from the Domain Controller from which some groups may not be useful. ID views can be used for this but doesn't seem to be a smart solution, since all new groups appearing in AD must be mapped. Expected results: There is should be way to filter out AD groups at the level of a trust boundary so that they won't appear in IPA at all and should be blacklisted. Additional info: More information could be found in below mailstream: --- http://www.redhat.com/archives/freeipa-users/2016-February/msg00138.html ---
related to SSSD PAC effort
There is already an SSSD ticket related to this problem filed a year ago. https://fedorahosted.org/sssd/ticket/2616
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: Future Releases
Login to comment on this ticket.