Bug 1254190 - Allow AD groups to be used in IdM RBAC
Allow AD groups to be used in IdM RBAC
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
Depends On:
  Show dependency treegraph
Reported: 2015-08-17 07:54 EDT by Matt Smith
Modified: 2018-06-19 09:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matt Smith 2015-08-17 07:54:15 EDT
Description of problem:
IdM does not accept AD groups to be assigned roles with IdM for RBAC purposes.  E.g., an organization's IT Help Desk is represented in Active Directory via a group 'Help Desk'; this groups should be mapped to the role 'helpdesk' in IdM, allowing them to perform basic IT actions such as reseting passwords.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. In "Role Based Access Control" screen of IdM, select a role such as 'helpdesk'
2. Assign an External Group, mapped to AD
3. Log out, attempt to login as AD user in that member group.

Actual results:
*  Login will fail, so it is not possible to perform actions via Web GUI.
* Similar failure with CLI, with a SASL error.

Expected results:
AD user shuold be allowed to log in, and perform the privileges assigned via RBAC

Additional info:
Comment 2 Petr Vobornik 2015-08-17 11:34:55 EDT
Upstream ticket:
Comment 3 Petr Vobornik 2017-04-06 12:22:50 EDT
IdM team doesn't have capacity to fix this bug for RHEL 7.4. Moving to next RHEL version. Fixing the bug there will depend on capacity of FreeIPA upstream. Without sufficient  justification there is a chance that it will be moved again later.

Note You need to log in before you can comment on or make changes to this bug.