#2149 [RFE] When trusts are anabled allow an AD user to access and manage IPA
Closed: fixed 2 years ago by frenaud. Opened 12 years ago by dpal.

Use case:

  1. User is on Windows system which is a part of the AD domain
  2. User authenticated against AD and has TGT
  3. AD and IPA trust each other
  4. User starts IE on his system and points to IPA UI
  5. User is able to manage IPA if he is a member of an administrative group

Something like this would probably require a remapping of the identities received from AD and ticket to the local accounts. It is unclear if it can be done in a non "fragile" way.


Patch for this RFE is on the devel list.

Moving to needs_triage

Prerequisite for the feature was pushed:

master:

  • b506fd1 adtrust: support GSSAPI authentication to LDAP as Active Directory user

Moving to 4.5 but some preparation work, e.g. a crude preview, may land in 4.4.x if implemented. If so then a new 4.4.x ticket would be needed for that.

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Already provided and documented in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_and_managing_identity_management/index#enabling-ad-user-to-administer-idm_configuring-and-managing-idm:

AD users are now able to use the self service features of IdM UI, for example to upload their SSH
keys, or change their personal data. An AD administrator is able to fully administer IdM without
having two different accounts and passwords.

Note
Currently, selected features in IdM may still be unavailable to AD users. For example, setting
passwords for IdM users as an AD user from the IdM admins group might fail. 

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue set to the milestone: None (was: FreeIPA 4.5 backlog)
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata