# 1 用户组

> FreeIPA默认有admins、editors、ipausers、trust admins用户组,这里单独创建一个用户组。

```

[root@ipa1 ~]# kinit admin

Password for admin@SYSIT.CN:

[root@ipa1 ~]#

[root@ipa1 ~]# ipa group-add osadmin

---------------------

Added group "osadmin"

---------------------

Group name: osadmin

GID: 1683200003

```

* 或者通过web Ui添加


# 2 用户

```

[root@ipa1 ~]# ipa user-add osuser1 --first=OS --last=user1 --password

Password:

Enter Password again to verify:

--------------------

Added user "osuser1"

--------------------

User login: osuser1

First name: OS

Last name: user1

Full name: OS user1

Display name: OS user1

Initials: Ou

Home directory: /home/osuser1

GECOS: OS user1

Login shell: /bin/sh

Principal name: osuser1@SYSIT.CN

Principal alias: osuser1@SYSIT.CN

Email address: osuser1@sysit.cn

UID: 1683200004

GID: 1683200004

Password: True

Member of groups: ipausers

Kerberos keys available: False

```

也可以web ui创建


# 3 用户配置文件

```

[root@ipa1 ~]# ipa user-mod osuser1 --shell=/bin/bash --homedir=/home/osuser1

-----------------------

Modified user "osuser1"

-----------------------

User login: osuser1

First name: OS

Last name: user1

Home directory: /home/osuser1

Login shell: /bin/bash

Principal name: osuser1@SYSIT.CN

Principal alias: osuser1@SYSIT.CN

Email address: osuser1@sysit.cn

UID: 1683200004

GID: 1683200004

Account disabled: False

Password: False

Member of groups: osadmin, ipausers

Kerberos keys available: False

```

* 或者通过web UI 修改


# 4 用户加入用户组

```

[root@ipa1 ~]# ipa group-add-member osadmin --users=osuser1

Group name: osadmin

GID: 1683200003

Member users: osuser1

-------------------------

Number of members added 1

-------------------------

```

# 5 用户权限管理

* Freeipa提供了统一权限管理功能，可直观的通过web ui进行配置

## 5.1 创建HBAC规则

* 【Policy-Host Based Access Control】，根据需要创建控制规则,规则设置简单易懂，即【什么用户(组)可以通过什么服务(组)访问哪台主机(组)】，在创建响应的用户、用户组、主机、主机组、服务、服务组后即可进行筛选、添加等操作。

* 配置完毕后，请删除删除默认的allow_all规则。

* 依次点击Plolicy-> Host-Based Access Control -> Add



* 添加用户或用户组


* 主机或主机组


* 服务或服务组




## 5.2 SUDO权限

在未创建sudo规则前，登录用户只具备普通用户权限，如果需进行系统管理操作，需要创建对应的sudo规则。

a) **首先检查确认上一节HBAC配置：**

Who：需要使用sudo的用户或用户组已配置

Accessing：需访问的主机或主机组已配置

Via Service：已启用sshd、sudo服务

b) **创建适当的sudo规则**

【Policy-Sudo-Sudo Rules】，创建新的Sudo规则，名为"osadmin_sudo_rule"





## 5.3 验证sudo规则

SSH远程登录验证是否可正常登录，同时执行sudo command验证是否可正常执行。如出现要求反复输入密码的情况，请检查上述配置是否正确。

* ssh

```

[root@ipa1 ~]# ssh osuser1@client.sysit.cn

Password:

Password expired. Change your password now.

Current Password:

New password:

Retype new password:

Creating home directory for osuser1.

[osuser1@client ~]$

```

* sudo

```

[osuser1@client ~]$ sudo uptime

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

[sudo] password for osuser1:

osuser1 is not allowed to run sudo on client. This incident will be reported.

```

* 实际测试添加!authenticate的sudorule options

```

ipa sudorule-add-option --sudooption='!authenticate'

```

* 或者通过web ui添加