freeipa

Clone
Source Code
GIT

#8357 Allow managing IPA resources as a user from a trusted Active Directory forest
Closed: fixed 3 years ago by rcritten. Opened 3 years ago by abbra.

Closed: fixed
Reopen Issue

Allow users from trusted Active Directory forests to manage FreeIPA resources if they are part of appropriate roles in FreeIPA. For example, adding an Active Directory user as a member of ‘admins’ group would make it equivalent to built-in FreeIPA ‘admin’ user.

  • As an Administrator in AD I want to also be able to fully administer FreeIPA as if I am an FreeIPA admin so that I do not have to have two different accounts and passwords.

  • As an AD user I want to be able to use self service features of FreeIPA Web UI for example to upload my SSH keys or change other related to me data that is managed in FreeIPA on my behalf.

  • As an AD user or Admin I want to be able to access FreeIPA Web UI with SSO if I have a valid kerberos ticket

  • As an AD user or Admin I want to be able to access FreeIPA Web UI and be prompted for user name and password

  • As an AD user who is assigned appropriate privileges in FreeIPA, I’d like to be able enroll FreeIPA hosts.

  • As an AD user who is assigned appropriate privileges in FreeIPA, I’d like to be able to promote FreeIPA hosts to replicas.

Metadata Update from @abbra:
- Issue assigned to abbra
3 years ago

master:

  • 676774d kdb: handle enterprise principal lookup in AS_REQ
  • 28389fe Add design page for managing IPA resources as a user from a trusted Active Directory forest
  • ecc0a96 support using trust-related operations in the server console
  • 973e0c0 idviews: handle unqualified ID override lookups from Web UI
  • bee4204 Support adding user ID overrides as group and role members
  • 306304b tests: account for ID overrides as members of groups and roles
  • 0ba64b1 Web UI: allow users from trusted Active Directory forest manage IPA
  • 9248d23 ipatests: test that adding Active Directory user to a role makes it an administrator

ipa-4-8:

  • 6abade3 kdb: handle enterprise principal lookup in AS_REQ
  • afe9191 support using trust-related operations in the server console
  • 2ffb4fd idviews: handle unqualified ID override lookups from Web UI
  • 8cce2bb Support adding user ID overrides as group and role members
  • 5e8df37 tests: account for ID overrides as members of groups and roles
  • 99e613e Web UI: allow users from trusted Active Directory forest manage IPA
  • 6b0f8f3 ipatests: test that adding Active Directory user to a role makes it an administrator

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
3 years ago

Metadata Update from @abbra:
- Custom field changelog adjusted to A 3rd-party plugin to provide management of IPA resources as users from trusted Active Directory domains was merged into FreeIPA core. ID user overrides can now be added to IPA management groups and roles and thus allow AD users to manage IPA.
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
A 3rd-party plugin to provide management of IPA resources as users from trusted Active Directory domains was merged into FreeIPA core. ID user overrides can now be added to IPA management groups and roles and thus allow AD users to manage IPA.
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.