[Freeipa-users] Cross realm authentication
Simo Sorce
ssorce at redhat.com
Fri Dec 18 19:30:01 UTC 2009
On Fri, 18 Dec 2009 12:31:44 -0500
Dan Scott <danieljamesscott at gmail.com> wrote:
> So clients in A.EXAMPLE.COM should be able to authenticate to
> C.B.EXAMPLE.COM, but not the other way around (This is how I would
> like it setup).
>
> However, this does not appear to work. I assume that I need to add
> some entries to the LDAP server as well? Does anyone know if this is
> true and if so, how I should go about it?
There are 2 things to consider when cross realm trust are involved.
1. certainly a correct setup so that clients can successfully perform
authentication. See Nalin remarks on that.
2. The second is that in order to login on a system you need, not only
a successful authentication but an actual user (with uid,gid,home,shell
info) the system can associate to your successful authentication.
Unless you are interested only in something like http auth which can
work w/o real system users.
This second part requires a way to provide the other realm users
to your system. At the moment we do not have any automated mechanism in
FreeIPA itself or in the client to provide that. We will work on these
features next year.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list