Chapter 88. Enabling AD users to administer IdM
88.1. ID overrides for AD users
In Red Hat Enterprise Linux (RHEL) 7, external group membership allows Active Directory (AD) users and groups to access Identity Management (IdM) resources in a POSIX environment with the help of the System Security Services Daemon (SSSD).
The IdM LDAP server has its own mechanisms to grant access control. RHEL 8 introduces an update that allows adding an ID user override for an AD user as a member of an IdM group. An ID override is a record describing what a specific Active Directory user or group properties should look like within a specific ID view, in this case the Default Trust View. As a consequence of the update, the IdM LDAP server is able to apply access control rules for the IdM group to the AD user.
AD users are now able to use the self service features of IdM UI, for example to upload their SSH keys, or change their personal data. An AD administrator is able to fully administer IdM without having two different accounts and passwords.
Currently, selected features in IdM may still be unavailable to AD users. For example, setting passwords for IdM users as an AD user from the IdM admins
group might fail.
Do not use ID overrides of AD users for sudo
rules in IdM. ID overrides of AD users represent only POSIX attributes of AD users, not AD users themselves.
Additional resources
88.2. Using ID overrides to enable AD users to administer IdM
Follow this procedure to create and use an ID override for an AD user to give that user rights identical to those of an IdM user. During this procedure, work on an IdM server that is configured as a trust controller or a trust agent.
Prerequisites
The
idm:DL1
stream is enabled on your Identity Management (IdM) server and you have switched to the RPMs delivered through this stream:# yum module enable idm:DL1 # yum distro-sync
The
idm:DL1/adtrust
profile is installed on your IdM server.# yum module install idm:DL1/adtrust
The profile contains all the packages necessary for installing an IdM server that will have a trust agreement with Active Directory (AD).
- A working IdM environment is set up. For details, see Installing Identity Management.
- A working trust between your IdM environment and AD is set up.
Procedure
As an IdM administrator, create an ID override for an AD user in the Default Trust View. For example, to create an ID override for the user
ad_user@ad.example.com
:# kinit admin # ipa idoverrideuser-add 'default trust view' ad_user@ad.example.com
Add the ID override from the Default Trust View as a member of an IdM group. This must be a non-POSIX group, as it interacts with Active Directory.
If the group in question is a member of an IdM role, the AD user represented by the ID override gains all permissions granted by the role when using the IdM API, including both the command-line interface and the IdM web UI.
For example, to add the ID override for the
ad_user@ad.example.com
user to the IdMadmins
group:# ipa group-add-member admins --idoverrideusers=ad_user@ad.example.com
Alternatively, you can add the ID override to a role, such as the User Administrator role:
# ipa role-add-member 'User Administrator' --idoverrideusers=ad_user@ad.example.com
Additional resources
88.3. Using Ansible to enable AD users to administer IdM
Follow this procedure to use an Ansible playbook to ensure that a user ID override is present in an Identity Management (IdM) group. The user ID override is the override of an Active Directory (AD) user that you created in the Default Trust View after you established a trust with AD. As a result of running the playbook, an AD user, for example an AD administrator, is able to fully administer IdM without having two different accounts and passwords.
Prerequisites
-
You know the IdM
admin
password. - You have installed a trust with AD.
-
The user ID override of the AD user already exists in IdM. If it does not, create it with the
ipa idoverrideuser-add 'default trust view' ad_user@ad.example.com
command. - The group to which you are adding the user ID override already exists in IdM.
-
You are using the 4.8.7 version of IdM or later. To view the version of IdM you have installed on your server, enter
ipa --version
. You have configured your Ansible control node to meet the following requirements:
- You are using Ansible version 2.13 or later.
-
You have installed the
ansible-freeipa
package. - The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
-
The example assumes that the secret.yml Ansible vault stores your
ipaadmin_password
.
-
The target node, that is the node on which the
ansible-freeipa
module is executed, is part of the IdM domain as an IdM client, server or replica.
Procedure
Navigate to your ~/MyPlaybooks/ directory:
$ cd ~/MyPlaybooks/
Create an
add-useridoverride-to-group.yml
playbook with the following content:--- - name: Playbook to ensure presence of users in a group hosts: ipaserver - name: Ensure the ad_user@ad.example.com user ID override is a member of the admins group: ipagroup: ipaadmin_password: "{{ ipaadmin_password }}" name: admins idoverrideuser: - ad_user@ad.example.com
In the example:
-
Secret123 is the IdM
admin
password. -
admins
is the name of the IdM POSIX group to which you are adding the ad_user@ad.example.com ID override. Members of this group have full administrator privileges. - ad_user@ad.example.com is the user ID override of an AD administrator. The user is stored in the AD domain with which a trust has been established.
-
Secret123 is the IdM
- Save the file.
Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file:
$ ansible-playbook --vault-password-file=password_file -v -i inventory add-useridoverride-to-group.yml
Additional resources
- ID overrides for AD users
- /usr/share/doc/ansible-freeipa/README-group.md
- /usr/share/doc/ansible-freeipa/playbooks/user
- Using ID views in Active Directory environments
88.4. Verifying that an AD user can perform correct commands in the IdM CLI
This procedure checks that an Active Directory (AD) user can log into Identity Management (IdM) command-line interface (CLI) and run commands appropriate for his role.
Destroy the current Kerberos ticket of the IdM administrator:
# kdestroy -A
NoteThe destruction of the Kerberos ticket is required because the GSSAPI implementation in MIT Kerberos chooses credentials from the realm of the target service by preference, which in this case is the IdM realm. This means that if a credentials cache collection, namely the
KCM:
,KEYRING:
, orDIR:
type of credentials cache is in use, a previously obtainedadmin
or any other IdM principal’s credentials will be used to access the IdM API instead of the AD user’s credentials.Obtain the Kerberos credentials of the AD user for whom an ID override has been created:
# kinit ad_user@AD.EXAMPLE.COM Password for ad_user@AD.EXAMPLE.COM:
Test that the ID override of the AD user enjoys the same privileges stemming from membership in the IdM group as any IdM user in that group. If the ID override of the AD user has been added to the
admins
group, the AD user can, for example, create groups in IdM:# ipa group-add some-new-group ---------------------------- Added group "some-new-group" ---------------------------- Group name: some-new-group GID: 1997000011
88.5. Using Ansible to enable an AD user to administer IdM
You can use the ansible-freeipa
idoverrideuser
and group
modules to create a user ID override for an Active Directory (AD) user from a trusted AD domain and give that user rights identical to those of an IdM user. The procedure uses the example of the Default Trust View
ID view to which the administrator@addomain.com ID override is added in the first playbook task. In the next playbook task, the administrator@addomain.com ID override is added to the IdM admins
group as a member. As a result, an AD administrator can administer IdM without having two different accounts and passwords.
Prerequisites
You have configured your Ansible control node to meet the following requirements:
- You are using Ansible version 2.13 or later.
-
You have installed the
ansible-freeipa
package on the Ansible controller. - You are using RHEL 8.10 or later.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
-
The example assumes that the secret.yml Ansible vault stores your
ipaadmin_password
.
- The AD forest is in trust with IdM. In the example, the name of the AD domain is addomain.com and the fully-qualified domain name (FQDN) of the AD administrator is administrator@addomain.com.
-
The
ipaserver
host in the inventory file is configured as a trust controller or a trust agent. -
The target node, that is the node on which the
ansible-freeipa
module is executed, is part of the IdM domain as an IdM client, server or replica.
Procedure
On your Ansible control node, create an enable-ad-admin-to-administer-idm.yml playbook with a task to add the administrator@addomain.com user override to the Default Trust View:
--- - name: Enable AD administrator to act as a FreeIPA admin hosts: ipaserver become: false gather_facts: false tasks: - name: Ensure idoverride for administrator@addomain.com in 'default trust view' ipaidoverrideuser: ipaadmin_password: "{{ ipaadmin_password }}" idview: "Default Trust View" anchor: administrator@addomain.com
Use another playbook task in the same playbook to add the AD administrator user ID override to the
admins
group:- name: Add the AD administrator as a member of
admins
ipagroup: ipaadmin_password: "{{ ipaadmin_password }}" name: admins idoverrideuser: - administrator@addomain.com- Save the file.
Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file:
$ ansible-playbook --vault-password-file=password_file -v -i inventory enable-ad-admin-to-administer-idm.yml
Verification
Log in to the IdM client as the AD Administrator:
$ ssh administrator@addomain.com@client.idm.example.com
Verify that you have obtained a valid ticket-granting ticket (TGT):
$ klist Ticket cache: KCM:325600500:99540 Default principal: Administrator@ADDOMAIN.COM Valid starting Expires Service principal 02/04/2024 11:54:16 02/04/2024 21:54:16 krbtgt/ADDOMAIN.COM@ADDOMAIN.COM renew until 02/05/2024 11:54:16
Verify your
admin
privileges in IdM:$ ipa user-add testuser --first=test --last=user ------------------------ Added user "tuser" ------------------------ User login: tuser First name: test Last name: user Full name: test user [...]
Additional resources
-
The idoverrideuser and ipagroup
ansible-freeipa
upstream documentation - Enabling AD users to administer IdM