<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 01/29/2015 06:19 PM, Steven Jones
wrote:<br>
</div>
<blockquote cite="mid:1422573475135.3911@vuw.ac.nz" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Where is this at? ie is the above a supported configuration?</p>
</div>
</blockquote>
<br>
Supported.<br>
<br>
<blockquote cite="mid:1422573475135.3911@vuw.ac.nz" type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p><br>
</p>
<p>So will passync and winsync work OK?</p>
</div>
</blockquote>
<br>
Yes<br>
<br>
<blockquote cite="mid:1422573475135.3911@vuw.ac.nz" type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p><br>
</p>
<p>Will trusts?</p>
</div>
</blockquote>
<br>
Yes<br>
<br>
<blockquote cite="mid:1422573475135.3911@vuw.ac.nz" type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p><br>
</p>
<p>Will they work together? </p>
</div>
</blockquote>
<br>
Only during migration.<br>
There is a migration strategy.
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust">http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust</a><br>
<br>
<blockquote cite="mid:1422573475135.3911@vuw.ac.nz" type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>So ideally I'd like to use winsync and passsync to provision
users from AD to IPA. Then in specific low security situations
use trusts to grant access. So for low security instances
eg a user on a windows or linux desktop can login with one
password. <br>
</p>
</div>
</blockquote>
<br>
I am not sure I follow.<br>
<br>
With trust you have a single user entry in AD and even if a Linux
system is connected to IPA the user logging into it will
authenticate against AD but it will be IPA that will define whether
this user can access this system. It will be defined via HBAC rules.<br>
<br>
So whether you use trust or sync the access control is orthogonal
and depends on which system the host is joined to. <br>
I guess you need to take a look at how IPA can define HBAC rules for
users from AD in trust case. You add an AD group as a member of the
IPA group and then apply HBAC policy to that IPA group.<br>
<br>
<blockquote cite="mid:1422573475135.3911@vuw.ac.nz" type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p><br>
</p>
<p>However for high level security I want to have permissions
only granted/grantable in IPA. So an admin to say the HR
database server cannot login with a trust from IPA they have
to be in a user group setup in IPA only.<br>
</p>
<p><br>
</p>
<p><br>
</p>
<div id="Signature">
<div name="divtagdefaultwrapper"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:; margin:0">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<p>regards</p>
<p>Steven </p>
</div>
</div>
</div>
</div>
</div>
<div style="color: rgb(33, 33, 33);">
<div><br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>