Bug 1181853
| Summary: | [RFE] Add Global Catalog to allow authentication of IdM users within AD domain | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Clifton Coursey <ccoursey> |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
| Status: | ASSIGNED --- | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abokovoy, afarley, aperotti, baptiste.agasse, bobby.prins, ddas, dminnich, dthursto, ekeck, frenaud, j.bittner, jhunt, jkastnin, jshivers, ksiddiqu, lmiksik, mbogdano, mkosek, mpanaous, pasik, pvoborni, rcritten, tscherf |
| Target Milestone: | beta | Keywords: | FutureFeature, Triaged |
| Target Release: | --- | Flags: | jkastnin:
needinfo-
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1398653, 1421663 | ||
| Bug Blocks: | 1411762 | ||
|
Description
Clifton Coursey
2015-01-13 22:53:21 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3125 Please note that the first version of this feature would not cover all use possible use cases that an IdM user could do on a Windows client. It will cover basic use cases that will be enabled by adding a Global Catalog to IdM Server. Next use case can be investigated after this step.
Having said that, this is the current set of User Stories that we are managing:
User Story 1: As a Windows Administrator I want to add IdM Users and Groups to the access control lists of resources in Active Directory, so that I can let IdM user log into to Windows client enrolled with Windows Server and file shares.
- Acceptance Criteria
* I can enable "Allow logon locally" Global Policy for a special group with all IdM users or a selected IdM Group or an IdM User to later enable local logon
* I can add a special group with all IdM users, selected IdM Group or IdM User to "Remote Desktop Users" group to later enable remote logon
* I can grant access to a file share located on Windows Servers
* Limitation: the use cases not explicitly called out above may or may not work and are not supported in the first implementation.
User Story 2: As an IdM User I'm able to login remotely or locally to Windows client enrolled in Windows Server, so that the user can use file shares or run a Windows application.
- Acceptance Criteria
* Prerequisite: this workflow requires a bi-directional Trust between IdM Server and AD Forest Root and a Workstation enrolled in the forest's domain
* When allowed, IdM user can login with his user and password to local Windows terminal
* When allowed, IdM user can login with his user and password to remote Windows terminal using RDP client (test with FreeRDP)
* IdM user can open, modify or delete a file in a folder, when allowed by respective Windows folder ACL
* IdM user can run a Windows application that does not require any additional interfaces (like SMB or DCE RPC) available on IdM Server
Comments and suggestions welcome!
The RFE would be targeted primarily for RHEL-8.1 or later, not for RHEL-7.x - moving Bug to another product. Current state is recorded in SambaXP'2020 talk: slides: https://sambaxp.org/archive-data-samba/sxp20/sxp20-d2/sxp20-d2t2-1-bokovoy-blancrenaud-FreeIPA-Catalog.pdf video (and demo): https://sambaxp.org/archive-data-samba/sxp20/sxp20-d2/sxp20-d2t2-1-bokovoy-blancrenaud.mp4 |