<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 03/22/2014 05:47 PM, Will Sheldon wrote:
<blockquote
cite="mid:9FF6A479E0BA458DA414CBAD739CFD8A@willsheldon.com"
type="cite">
<div style="font-family: Helvetica; font-size: 13px;">
<div><br>
</div>
<div>I’d be curious to see how well a solution that combines
pGina using RADIUS against some middleware like the Gluu
server (<a class="moz-txt-link-abbreviated" href="http://www.gluu.org">www.gluu.org</a>) backed by IPA would work.</div>
</div>
</blockquote>
<br>
This is not an interesting scenario. This would would probably work
right now but the machine would still not know who the user is
because it will not know user SID so he would be foreign and no
Windows policies would apply to him. I suspect such user would have
no or very limited read only access to Windows resources because all
Windows ACLs are based on knowing the user SIDs and SIDs of the
groups the user is a member of.<br>
The value of native IdM integration would be to get user SID and
SIDs of the groups from IdM and then get the right kerberos
ticket(s) for Windows resources using cross realm kerberos trusts
and put these tickets into the right place so that windows system
can use them automatically when user navigates to the corresponding
resource. Something like this.<br>
<br>
<blockquote
cite="mid:9FF6A479E0BA458DA414CBAD739CFD8A@willsheldon.com"
type="cite">
<div style="font-family: Helvetica; font-size: 13px;">
<div><br>
</div>
<div>It strikes me that getting domain federation between IPA
and Gluu would tick a lot of boxes as it seems to offer a host
of authentication and accounting interfaces including oAuth,
SAML, OpenID and of course RADIUS.</div>
</div>
<div>
<div><br>
</div>
<br>
Kind regards,<br>
<br>
Will Sheldon<br>
+1.778-689-1244
<div><br>
</div>
</div>
<p style="color: #A0A0A8;">On Saturday, March 22, 2014 at 2:17 PM,
Dmitri Pal wrote:</p>
<blockquote type="cite"
style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
<span>
<div>
<div>
<div>On 03/22/2014 01:18 PM, Arthur wrote:</div>
<blockquote type="cite">
<div>
<div>Dmitri Pal wrote:</div>
<blockquote type="cite">
<div>
<div>On 03/20/2014 11:15 PM, Arthur Faizullin
wrote:</div>
<blockquote type="cite">
<div>
<div>HI!</div>
<div>I've got some thoughts on 4-th point:
there is a <a moz-do-not-send="true"
href="http://pgina.org">http://pgina.org</a>/
</div>
<div>pgina</div>
<div>project, may be them are able to do such
thing.</div>
</div>
</blockquote>
<div><br>
</div>
<div>Yes pgina is one of the options.</div>
<div>Someone would have to take it and integrate
with MIT Kerberos for </div>
<div>Windows if it is not already doing so.</div>
<div>But I suspect that it would be more a project
in itself that would </div>
<div>leverage code from MIT and may be pgina to
integrate different parts.</div>
<div>The biggest part figuring out the domain
affiliation. I mean the use </div>
<div>cases like this:</div>
<div>a) The system is domainless but user
authentictaes with user name and </div>
<div>password against IPA</div>
<div>b) The system is domainless but user
authentictaes with user name and </div>
<div>OTP against IPA</div>
<div>c) The system is in an AD domain trusted by
IdM domain but user </div>
<div>authenticates with user name and password
against IPA because he is </div>
<div>in IdM domain.</div>
<div>d) The system is in an AD domain trusted by
IdM domain but user </div>
<div>authenticates with user name and password
against IPA because he is </div>
<div>in IdM domain.</div>
<div><br>
</div>
<div>More to research. We can help with guidance
if someone wants to run </div>
<div>with it.</div>
<div><br>
</div>
<div>Thanks</div>
<div>Dmitri</div>
<div><br>
</div>
<blockquote type="cite">
<div>
<div><br>
</div>
<div>20.02.2014 04:23, Dmitri Pal пишет:</div>
<blockquote type="cite">
<div>
<div>Hello,</div>
<div><br>
</div>
<div>I want to summarize our position
regarding joining Windows systems</div>
<div>into IPA.</div>
<div><br>
</div>
<div>1) If you already have AD we
recommend using this system with AD and</div>
<div>using trusts between AD and IPA.</div>
<div>2) If you do not have AD then use
Samba 4 instead of it. It would be</div>
<div>great when Samba 4 grows capability
to establish trusts. Right now it</div>
<div>can't but there is an effort going
on. If you are interested - please</div>
<div>contribute.</div>
<div>3) If neither of the two options work
for you you can configure</div>
<div>Windows system to work directly with
IPA as described on the wiki. It</div>
<div>is an option of last resort because
IPA does not provide the services</div>
<div>windows client expects. If this is
good enough for you, fine by us.</div>
<div>4) Build a native Windows client
(cred provider) for IPA using latest</div>
<div>Kerberos. IMO this would be really
useful if someone does that because</div>
<div>we will not build this ourselves.
With the native OTP support in IPA</div>
<div>it becomes a real business
opportunity to provide a native 2FA
inside</div>
<div>enterprise across multiple platforms.
But please do it open source way</div>
<div>otherwise we would not recommend you
;-)</div>
</div>
</blockquote>
<div>_______________________________________________</div>
<div>Freeipa-users mailing list</div>
<div><a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a></div>
<div><a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div>
</div>
</blockquote>
</div>
</blockquote>
<div>My friend agreed to try. He is C# programmer. But
the problem that has </div>
<div>low knowledge about kerberos, GSSAPI, and I could
not told him what is </div>
<div>wrong with current pgina's ldap plugin.</div>
<div>He does not want to subscribe to freeipa
mail-lists, so may be I shall </div>
<div>give him your (Dmitri) e-mail?</div>
<div>He speaks russian :)</div>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>List is really the way to develop open source
software collaboratively. </div>
<div>This is what we are doing here.</div>
<div>We can agree that the communication about the topic
will be prefixed in </div>
<div>such a way that he can create a filter so that he
would get only mails </div>
<div>that match the filter.</div>
<div>Would that work?</div>
<div><br>
</div>
<div>I am not sure that I would be able to provide all the
support. We are a </div>
<div>community here and we have different roles and
angles. Working with just </div>
<div>one person would not fly, sorry.</div>
<div><br>
</div>
<blockquote type="cite">
<div>
<div><br>
</div>
<div>_______________________________________________</div>
<div>Freeipa-users mailing list</div>
<div><a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a></div>
<div><a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>-- </div>
<div>Thank you,</div>
<div>Dmitri Pal</div>
<div><br>
</div>
<div>Sr. Engineering Manager for IdM portfolio</div>
<div>Red Hat Inc.</div>
<div><br>
</div>
<div><br>
</div>
<div>-------------------------------</div>
<div>Looking to carve out IT costs?</div>
<div><a moz-do-not-send="true"
href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a></div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>_______________________________________________</div>
<div>Freeipa-users mailing list</div>
<div><a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a></div>
<div><a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div>
</div>
</div>
</span> </blockquote>
<div> <br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>