[Freeipa-devel] Mixed environment - MS and NIX

[Rob Crittenden]

Christoffer Strömblad wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi list,
> 
> I'm currently doing a "pre-study" for a project where a company is
> trying to standardize their use of Linux into a coherent, centrally
> managed system. Part of this is to manage and authenticate users,
> again centrally.
> 
> Now I'm very much in-love with open source software, but as much as
> I'd like to simply provide a separate system for all of this we
> live in a mixed environment and business requirements. One of these
> dreaded requirements is to use AD for authentication.
> 
> Now to the questions:
> 1) Is it possible to somehow replicate data from an AD over to
> fedora directory service? (I think this is a yes from what I've
> read)

Yes. We currently only sync the following information:
- New users added to AD
- Existing IPA users that have a ntuserdomainid that matches an AD user 
and have the objectclass ntUser (so you can create a user in IPA and 
then connect them to an existing AD user)
- Passwords if the PassSync service is installer on AD (and every AD in 
the domain)

> 2) If yes on 1) will it be possible for Linux computers to
> authenticate against the FDS rather than the AD?

Yes. Linux users can authenticate to the IPA DS using simple auth and 
the KDC using their password.

> 3) If yes on 2), when updates are made to FreeIPA to implement more
> functionality, will it still be possible to replicate the basic
> user data for authentication without "disturbing" the new
> functionality?

That is always our goal. One may need to run a provided migration script 
when going between major versions but one should be able to move upward 
relatively easily.

> 
> 4) Any alternatives you recommend or suggest me to look into?

You might be able to authenticate against AD directly.

rob