mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 08:41:55 -06:00
bee4204039
Second part of adding support to manage IPA as a user from a trusted Active Directory forest. Treat user ID overrides as members of groups and roles. For example, adding an Active Directory user ID override as a member of 'admins' group would make it equivalent to built-in FreeIPA 'admin' user. We already support self-service operations by Active Directory users if their user ID override does exist. When Active Directory user authenticates with GSSAPI against the FreeIPA LDAP server, its Kerberos principal is automatically mapped to the user's ID override in the Default Trust View. LDAP server's access control plugin uses membership information of the corresponding LDAP entry to decide how access can be allowed. With the change, users from trusted Active Directory forests can manage FreeIPA resources if the groups are part of appropriate roles or their ID overrides are members of the roles themselves. Fixes: https://pagure.io/freeipa/issue/7255 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> |
||
|---|---|---|
| .. | ||
| advise | ||
| dnssec | ||
| install | ||
| plugins | ||
| secrets | ||
| __init__.py | ||
| dcerpc_common.py | ||
| dcerpc.py | ||
| dns_data_management.py | ||
| Makefile.am | ||
| masters.py | ||
| p11helper.py | ||
| rpcserver.py | ||
| servroles.py | ||
| setup.cfg | ||
| setup.py | ||
| topology.py | ||