diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2012-09-20 14:25:05 +0300 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-09-20 14:57:49 +0200 |
| commit | 21ecf2f28726c413a3f6bc810e8d46033028902d (patch) | |
| tree | a0d614ffd27e5cad75813aafc41522079d12ab2c /ipalib | |
| parent | 9d84a3cf49906548390845b4c30482d702f679bf (diff) | |
| download | freeipa-21ecf2f28726c413a3f6bc810e8d46033028902d.tar.gz freeipa-21ecf2f28726c413a3f6bc810e8d46033028902d.tar.xz freeipa-21ecf2f28726c413a3f6bc810e8d46033028902d.zip | |
Add documentation for 'ipa trust' set of commands
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/trust.py | 60 |
1 files changed, 58 insertions, 2 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index bced06f4d..9d3e9a873 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -34,11 +34,67 @@ if api.env.in_server and api.env.context in ['lite', 'server']: try: import ipaserver.dcerpc #pylint: disable=F0401 _bindings_installed = True - except Exception, e: + except ImportError: _bindings_installed = False __doc__ = _(""" -Manage trust relationship between realms +Cross-realm trusts + +Manage trust relationship between IPA and Active Directory domains. + +In order to allow users from a remote domain to access resources in IPA +domain, trust relationship needs to be established. Currently IPA supports +only trusts between IPA and Active Directory domains under control of Windows +Server 2008 or later, with functional level 2008 or later. + +Please note that DNS on both IPA and Active Directory domain sides should be +configured properly to discover each other. Trust relationship relies on +ability to discover special resources in the other domain via DNS records. + +Examples: + +1. Establish cross-realm trust with Active Directory using AD administrator + credentials: + + ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> --password + +2. List all existing trust relationships: + + ipa trust-find + +3. Show details of the specific trust relationship: + + ipa trust-show <ad.domain> + +4. Delete existing trust relationship: + + ipa trust-del <ad.domain> + +Once trust relationship is established, remote users will need to be mapped +to local POSIX groups in order to actually use IPA resources. The mapping should +be done via use of external membership of non-POSIX group and then this group +should be included into one of local POSIX groups. + +Example: + +1. Make note of the trusted domain security identifier + + domainsid = `ipa trust-show <ad.domain> | grep Identifier | cut -d: -f2` + +2. Create group for the trusted domain admins' mapping and their local POSIX group: + + ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external + ipa group-add --desc='<ad.domain> admins' ad_admins + +3. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external + group (security identifier of <ad.domain SID>-513 is Domain Admins group): + + ipa group-add-member ad_admins_external --external ${domainsid}-513 + +4. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: + + ipa group-add-member ad_admins --groups ad_admins_external + """) trust_output_params = ( |