[Freeipa-devel] Multiple Active Directory Domains authentication - is freeIPA my solution?
Christian Horn
chorn at fluxcoil.net
Tue Aug 19 08:21:02 UTC 2008
Alex Davies wrote:
>
> >> I'm trying to find a open source solution to authenticate a bunch of
> >> Linux machines (and, ideally, network devices etc.) against Active
> >> Directory. The complication we have is that my organization has more
> >> than one Active Directory Domain, each hosted on its own collection of
> >> domain controllers. In windows, users select the relevant domain when
> >> they login to a PC and everyone is happy [there is a trust
> >> relationship between our domains]. I can not for the life of me get
> >> this to work properly on Linux.
> >>
> >> We setup Fedora Directory Server, and passsync on all our (very very
> >> many) domain controllers. We then setup multiple replication
> >> agreements (one per AD domain), and this seems to work - most of the
> >> time however sometimes passwords are not synced.
For now you try so sync the complete datasets between the two worlds,
you could try an approach that makes a kerberos kdc or freeipa-server
to look like one of the AD-controllers, so setup a trust between them.
This is a different approach, not yet supported by freeipa but did
technically work for me in a testsetup with an mit-kdc.
This would handle authentication only, maybe for authorization you could
make the linux-boxes contact the AD-controllers directly via ldap.
Havent used this in enterprise-setups, just a thought.
Christian
More information about the Freeipa-devel
mailing list