2

I've tried multiple methods that don't appear to work, but I'm ultimately trying to add multiple external users to a non-POSIX group using the ipa group-add-member ... command.

NOTE: These external users are coming in via a trust with an Active Directory environment.

Usage

$ ipa -v help group-add-member
Usage: ipa [global-options] group-add-member GROUP-NAME [options]

Add members to a group.
Options:
  -h, --help      show this help message and exit
  --external=STR  Members of a trusted domain in DOM\name or name@domain form
  --all           Retrieve and print all attributes from the server. Affects
                  command output.
  --raw           Print entries as stored on the server. Only affects output
                  format.
  --no-members    Suppress processing of membership attributes.
  --users=STR     users to add
  --groups=STR    groups to add

What I'm trying to do

$ ipa -n group-add-member ad_users_external \
     --external="user1@AD.mydom.com,user2@AD.mydom.com"

  Group name: ad_users_external
  Description: External group of admins from AD
  External member: S-2-3-12-1396123456-1786123456-1027123456-123456
  Member of groups: ad_users
  Failed members:
    member user:
    member group: user1@AD.mydom.com,user2@AD.mydom.com: invalid 'trusted domain object': Ambiguous search, user domain was not specified
-------------------------
Number of members added 0
-------------------------
slm
  • 7,615
  • 16
  • 56
  • 76
  • Any reason you don't use an external group? – Jacob Evans Nov 09 '17 at 20:17
  • @JacobEvans - new to freeipa, do you mean a group that's provided by AD? – slm Nov 10 '17 at 00:21
  • yeah, you end up with 3 groups, but it minimizes the need to reconfigure ipa when changing users. – Jacob Evans Nov 10 '17 at 00:45
  • 1
    @JacobEvans - I don't control the AD in this instance, we're using it simply to leverage the corp. authentication, the groups we're controlling ourselves, I'm merely mapping all the AD users into various external groups and then putting these groups into posix groups to map them to sudo rulesets etc. The approach I'm taking is shown in the freeipa docs. – slm Nov 10 '17 at 00:56
  • Then what you're doing solid, I'd suggest checking out https://github.com/peterpakos/ipa_check_consistency – Jacob Evans Nov 10 '17 at 01:10
  • @JacobEvans - thanks, great tip, will definitely make use of it. – slm Nov 10 '17 at 01:58

1 Answers1

1

If you look in the man page for the CLI tool ipa there are some examples which show how to accomplish this, though not directly using the add-group-members subcommand.

man page

  ipa group-add-member bar --users={admin,foo}
          Add users "admin" and "foo" to the group "bar". This approach depends on shell expansion feature.

So you need to pass the list of users to the --external switch using curly braces & commas.

Example

$ ipa -n group-add-member ad_users_external \
     --external={user1@AD.mydom.com,user2@AD.mydom.com}

  Group name: ad_users_external
  Description: External group of admins from AD
  External member: S-1-5-21-1396123456-17861234567-1027123456-123456, S-1-5-21-1396123456-1786123456-1027123456-123456
  Member of groups: ad_users
-------------------------
Number of members added 2
-------------------------
slm
  • 7,615
  • 16
  • 56
  • 76