Friday, February 8, 2019

How to map the AD group tp RHEL7-IdM FreeIPA. Managing sudo access centrally.

How to map the AD group tp RHEL7-IdM FreeIPA. Managing sudo access centrally.
=======================================================================
The idea is to create a separate group and that way you can restrict the normal users from having root account access/privileges and restricting them to commands like "su" and "su -" with using Host Based Access Control centrally. So no more headache of managing "sudoers" file individually on a separate machine!

Step number three is where actual AD groups mapping to the ipa external group happens.

1.Login as root and create external group in IPA.

[root@idm-adminserver ~]# ipa group-add --desc='AD External Super Admins Group' newapp_super_external --external
--------------------------------
Added group "newapp_super_external"
--------------------------------
  Group name: newapp_super_external
  Description: AD External Super Admins Group

2. Create a POSIX group in IPA
[root@idm-adminserver ~]# ipa group-add --desc='AD superadminsgroup' newappgroup
----------------------
Added group "newappgroup"
----------------------
  Group name: newappgroup
  Description: AD superadminsgroup
  GID: 945800023

3. MAP AD group to IPA external group. Use the exact same group name as created in AD.
[root@idm-adminserver ~]# ipa group-add-member newapp_super_external --external "YOURDOMAIN\App-Super-Admins"
[member user]:
[member group]:
  Group name: newapp_super_external
  Description: AD External Super Admins Group
  External member: S-1-6-22-7453987130-51046295449-86423321111-632055
-------------------------
Number of members added 1
-------------------------

4. Map IPA external group to local group.
[root@idm-adminserver ~]# ipa group-add-member newappgroup--groups newapp_super_external
  Group name: newappgroup
  Description: AD superadminsgroup
  GID: 945800023
  Member groups: newapp_super_external
-------------------------
Number of members added 1
-------------------------

Important Note: "App-Super-Admins" is the realtime AD side group created under "YOURDOMAIN"

Happy Linux!

=======================================================================
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)