Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 49. Enabling AD users to administer IdM

Grant Active Directory (AD) users administrative privileges in Identity Management (IdM) by using ID overrides. This allows trusted AD users to perform IdM administrative tasks without creating separate IdM accounts.

49.1. ID overrides for AD users
Copiar enlace

ID overrides let Active Directory (AD) users access Identity Management (IdM) resources and self-service features — such as uploading SSH keys — without a separate IdM account, by representing the AD user as a member of an IdM group.

An ID override is a record describing what a specific Active Directory user or group properties should look like within a specific ID view, in this case the Default Trust View. With this feature, the IdM LDAP server is able to apply access control rules for the IdM group to the AD user.

AD users can use the self service features of IdM UI, for example to upload their SSH keys, or change their personal data. An AD administrator is able to fully administer IdM without having two different accounts and passwords.

Note

Currently, selected features in IdM may still be unavailable to AD users. For example, setting passwords for IdM users as an AD user from the IdM admins group might fail.

Important

Do not use ID overrides of AD users for sudo rules in IdM. ID overrides of AD users represent only POSIX attributes of AD users, not AD users themselves.

49.2. Using ID overrides to enable AD users to administer IdM
Copiar enlace

Create an ID override for an Active Directory (AD) user in the Default Trust View of Identity Management (IdM) to grant that AD user the same administrative rights as an IdM user.

Prerequisites

  • A working IdM environment is set up. For details, see Installing Identity Management.
  • A working trust between your IdM environment and AD is set up.
  • You are working on an IdM server configured as a trust controller or a trust agent.

Procedure

  1. As an IdM administrator, create an ID override for an AD user in the Default Trust View. For example, to create an ID override for the user ad_user@ad.example.com: 

    # kinit admin
# ipa idoverrideuser-add 'default trust view' ad_user@ad.example.com

  2. Add the ID override from the Default Trust View as a member of an IdM group. This must be a non-POSIX group, as it interacts with Active Directory.

    If the group in question is a member of an IdM role, the AD user represented by the ID override gains all permissions granted by the role when using the IdM API, including both the command-line interface and the IdM web UI.

    For example, to add the ID override for the ad_user@ad.example.com user to the IdM admins group: 

    # ipa group-add-member admins --idoverrideusers=ad_user@ad.example.com

  3. Alternatively, you can add the ID override to a role, such as the User Administrator role: 

    # ipa role-add-member 'User Administrator' --idoverrideusers=ad_user@ad.example.com

Verify that an Active Directory (AD) user can log in to Identity Management (IdM) by using the CLI and perform operations that match the user’s assigned IdM role.

Procedure

  1. Destroy the current Kerberos ticket of the IdM administrator: 

    # kdestroy -A
    Note

    The destruction of the Kerberos ticket is required because the GSSAPI implementation in MIT Kerberos chooses credentials from the realm of the target service by preference, which in this case is the IdM realm. This means that if a credentials cache collection, namely the KCM:, KEYRING:, or DIR: type of credentials cache is in use, a previously obtained admin or any other IdM principal’s credentials will be used to access the IdM API instead of the AD user’s credentials.

  2. Obtain the Kerberos credentials of the AD user for whom an ID override has been created: 

    # kinit ad_user@AD.EXAMPLE.COM
Password for ad_user@AD.EXAMPLE.COM:

  3. Test that the ID override of the AD user enjoys the same privileges stemming from membership in the IdM group as any IdM user in that group. If the ID override of the AD user has been added to the admins group, the AD user can, for example, create groups in IdM: 

    # ipa group-add some-new-group
----------------------------
Added group "some-new-group"
----------------------------
  Group name: some-new-group
  GID: 1997000011

49.4. Using Ansible to enable an AD user to administer IdM
Copiar enlace

Use the ansible-freeipa idoverrideuser and group modules to grant an AD user from a trusted domain full Identity Management (IdM) administration rights without maintaining separate accounts.

The procedure uses the example of the Default Trust View ID view to which the ad_user@AD.EXAMPLE.COM ID override is added in the first playbook task. In the next playbook task, the ad_user@AD.EXAMPLE.COM ID override is added to the IdM admins group as a member.

Prerequisites

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.15 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
  • The ipaserver host in the inventory file is configured as a trust controller or a trust agent.
  • The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. On your Ansible control node, create an enable-ad-admin-to-administer-idm.yml playbook with a task to add the ad_user@ad.example.com user override to the Default Trust View: 

    ---
- name: Enable AD administrator to act as a FreeIPA admin
  hosts: ipaserver
  become: false
  gather_facts: false

  tasks:
  - name: Ensure idoverride for ad_user@ad.example.com in 'Default Trust View'
    ipaidoverrideuser:
      ipaadmin_password: "{{ ipaadmin_password }}"
      idview: "Default Trust View"
      anchor: ad_user@ad.example.com

    In the example:

    • ad_user@ad.example.com is the user ID override of an AD user that is stored in the AD domain with which a trust has been established.

  2. Use another playbook task in the same playbook to add the AD administrator user ID override to the admins group: 

      - name: Add the AD administrator as a member of admins
    ipagroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: admins
      idoverrideuser:
      - ad_user@ad.example.com

    In the example:

    • admins is the name of the default IdM POSIX group to which you are adding the ad_user@ad.example.com ID override. Members of this group have full administrator privileges.
  3. Save the file.

  4. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory enable-ad-admin-to-administer-idm.yml

Verification

  1. Log in to the IdM client as the AD Administrator: 

    $ ssh ad_user@ad.example.com@client.idm.example.com

  2. Verify that you have obtained a valid ticket-granting ticket (TGT): 

    $ klist
Ticket cache: KCM:325600500:99540
Default principal: ad_user@AD.EXAMPLE.COM
Valid starting Expires Service principal
02/04/2024 11:54:16 02/04/2024 21:54:16 krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
renew until 02/05/2024 11:54:16

  3. Verify your admin privileges in IdM: 

    $ ipa user-add testuser --first=test --last=user
------------------------
Added user "tuser"
------------------------
  User login: tuser
  First name: test
  Last name: user
  Full name: test user
[...]
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red HatVolver arriba