[Freeipa-devel] Mixed environment - MS and NIX
Rob Crittenden
rcritten at redhat.com
Mon Jan 19 15:08:53 UTC 2009
Christoffer Strömblad wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi list,
>
> I'm currently doing a "pre-study" for a project where a company is
> trying to standardize their use of Linux into a coherent, centrally
> managed system. Part of this is to manage and authenticate users,
> again centrally.
>
> Now I'm very much in-love with open source software, but as much as
> I'd like to simply provide a separate system for all of this we
> live in a mixed environment and business requirements. One of these
> dreaded requirements is to use AD for authentication.
>
> Now to the questions:
> 1) Is it possible to somehow replicate data from an AD over to
> fedora directory service? (I think this is a yes from what I've
> read)
Yes. We currently only sync the following information:
- New users added to AD
- Existing IPA users that have a ntuserdomainid that matches an AD user
and have the objectclass ntUser (so you can create a user in IPA and
then connect them to an existing AD user)
- Passwords if the PassSync service is installer on AD (and every AD in
the domain)
> 2) If yes on 1) will it be possible for Linux computers to
> authenticate against the FDS rather than the AD?
Yes. Linux users can authenticate to the IPA DS using simple auth and
the KDC using their password.
> 3) If yes on 2), when updates are made to FreeIPA to implement more
> functionality, will it still be possible to replicate the basic
> user data for authentication without "disturbing" the new
> functionality?
That is always our goal. One may need to run a provided migration script
when going between major versions but one should be able to move upward
relatively easily.
>
> 4) Any alternatives you recommend or suggest me to look into?
You might be able to authenticate against AD directly.
rob
More information about the Freeipa-devel
mailing list