Red Hat Bugzilla – Bug 1254190
Allow AD groups to be used in IdM RBAC
Last modified: 2018-06-19 09:29:02 EDT
Description of problem:
IdM does not accept AD groups to be assigned roles with IdM for RBAC purposes. E.g., an organization's IT Help Desk is represented in Active Directory via a group 'Help Desk'; this groups should be mapped to the role 'helpdesk' in IdM, allowing them to perform basic IT actions such as reseting passwords.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. In "Role Based Access Control" screen of IdM, select a role such as 'helpdesk'
2. Assign an External Group, mapped to AD
3. Log out, attempt to login as AD user in that member group.
* Login will fail, so it is not possible to perform actions via Web GUI.
* Similar failure with CLI, with a SASL error.
AD user shuold be allowed to log in, and perform the privileges assigned via RBAC
IdM team doesn't have capacity to fix this bug for RHEL 7.4. Moving to next RHEL version. Fixing the bug there will depend on capacity of FreeIPA upstream. Without sufficient justification there is a chance that it will be moved again later.