freeipa/ipaserver
Alexander Bokovoy 349322e3fb sudorule runAs: allow to add users and groups from trusted domains directly
Allow specifying AD users and groups from trusted Active Directory
forests in `ipa sudorule-add/remove-runasuser/runasgroup` family of
commands.

IPA provides 'ipasudorunasextuser' and 'ipasudorunasextusergroup' LDAP
attributes to record 'external' objects referenced in SUDO rules for
specifying the target user and group to run the commands allowed in the
SUDO rule.

Use member type validators to 'ipa sudorule-add/remove-runasuser/runasgroup'
family of commands and rely on member type validators from 'idviews'
plugin to resolve trusted objects.

Referencing fully qualified names for users and groups from trusted
Active Directory domains in IPA SUDOERs schema attributes is supported
in SSSD 2.4 or later.

RN: IPA now supports users and groups from trusted Active Directory
RN: domains in SUDO rules to specify runAsUser/runAsGroup properties
RN: without an intermediate non-POSIX group membership

Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-01-26 13:05:27 -05:00
..
advise Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
dnssec Change mkdir logic in DNSSEC 2020-12-18 20:40:36 +02:00
install Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
plugins sudorule runAs: allow to add users and groups from trusted domains directly 2021-01-26 13:05:27 -05:00
secrets NSSWrappedCertDB: accept optional symmetric algorithm 2019-09-25 12:42:06 +10:00
__init__.py Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
dcerpc_common.py Py3: Replace six.text_type with str 2018-09-27 16:11:18 +02:00
dcerpc.py trust-fetch-domains: use custom krb5.conf overlay for all trust operations 2021-01-22 12:21:33 -05:00
dns_data_management.py Lookup ipa-ca record with NSS 2020-10-10 12:54:06 +02:00
Makefile.am Build: Makefiles for Python packages 2016-11-09 13:08:32 +01:00
masters.py Add hidden replica feature 2019-03-28 17:57:58 +01:00
p11helper.py Grammar: whitespace is a word 2020-06-23 10:16:29 +02:00
rpcserver.py rpcserver: fix exception handling for FAST armor failure 2020-10-30 19:06:11 +02:00
servroles.py Use api.env.container_sysaccounts 2020-04-28 11:28:29 +02:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Delay import of psutil to avoid AVC 2020-09-23 14:49:15 +02:00
topology.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00